How do I change M2M access_token lifetime?

Ready to post? First, try searching for your answer.
When I obtain a new access_token using the Client Credentials flow, the expiry time is always set to one hour. (3600 seconds). Ideally, I would want these tokens to be valid for longer.

I see docs that mention you can change Token Expiration (Seconds) and Token Expiration For Browser Flows (Seconds) in API settings, however, the settings page for my API only shows Maximum Access Token Lifetime, and Implicit/Hybrid Flow Access Token Lifetime.

My maximum lifetime is set to 86400 seconds, and implicit/hybrid is set to 7200 seconds.

Why are my JWTs only valid for one hour? Where is the 3600 value set? How can I change it to 24 hours?

Hi @dave.natalie

Welcome back to the Auth0 Community!

I believe the Token Expiration setting you are talking about is the one available through the M2M application created in your Auth0 Dashboard. The token expiration time of 3600 are set by default for applications which appears to override the tokens provided by the API.

If you go to your M2M application’s setting you should see the following:

image1948×1318 183 KB

If you have any other questions or need further assistance on the matter, feel free to leave a reply!

Kind Regards,
Nik

Thanks for the response!

I don’t understand why the lifetime of the ID token would affect the lifetime of the access token, but that being said, I can see that the value in my application settings is in-fact set to 36000 seconds (10 hours), but the exp value token in my access_token is 3600 seconds. (1 hour).

Here is a screenshot from the .Net debugger that shows the value I am receiving from Auth0.

image725×114 65.6 KB

I can’t find “3600” anywhere in any settings.

Edit: To clarify, my iat and exp are 3600 seconds apart. The exp itself is not “3600”.

{
 "iat": 1742409396, // (March 19, 2025 6:36:36 PM UTC)
 "exp": 1742412996, //(March 19, 2025 7:36:36 PM UTC)
}

Hi again

Sorry, I must have misread something in your post and made myself believe you were referring to the ID Token, It has been a long day!

Thanks for providing me the screenshot, I will investigate some more regarding the matter. Do you mind sharing via a DM the tenant name on which you have this issue on so I can take a look around?

Kind Regards,
Nik

Following up with our private conversation regarding the matter.

I have proposed to use the following cURL command in order to investigate what is the token expiration returned by the response:

curl --request POST \
  --url 'https://{{AUTH)_DOMAIN))' \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data grant_type=client_credentials \
  --data client_id=YOUR_CLIENT_ID \
  --data client_secret=YOUR_CLIENT_SECRET \
  --data audience=YOUR_API_IDENTIFIER

As you have confirmed that making the cURL request and also another call returned from your PostMan application, the token expiration returned matched the one set via the Auth0 Dashboard.

I have identified an action where you set a token inside the cache which could affect the value returned by your application however that is unlikely.

As you have stated, the issue might reside inside a library used in your application called IdentityModel.Client which might modify or replace the actual lifetime set by the dashboard. I will be posting the screenshot you have shared with me for reference so that anybody else can take a look at it:

image888×362 46.9 KB

Whenever you identify the issue within the application which would modify the lifetime of the token, feel free to share it with the rest of the community!

Otherwise, if you have any other questions, just leave a reply or post again on the community referencing to this post!

Kind Regards,
Nik

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.