How do SPA access token expires when used against custom API to authenticate

Get Help
1

I am implementing a Django REST API with React. I followed this tutorial and fits perfectly as my requirement.

As per the code implementation from the tutorial,

def jwt_decode_token(token):
    header = jwt.get_unverified_header(token)
    jwks = requests.get(
        settings.SOCIAL_AUTH_AUTH0_DOMAIN + "/.well-known/jwks.json"
    ).json()
    public_key = None
    for jwk in jwks["keys"]:
        if jwk["kid"] == header["kid"]:
            public_key = jwt.algorithms.RSAAlgorithm.from_jwk(json.dumps(jwk))

    if public_key is None:
        raise Exception("Public key not found.")

    issuer = settings.SOCIAL_AUTH_AUTH0_DOMAIN + "/"
    return jwt.decode(
        token,
        public_key,
        audience=settings.SOCIAL_AUTH_AUTH0_AUDIENCE,
        issuer=issuer,
        algorithms=["RS256"],
    )

it seems we don’t use the decode_token method that the package provided.

All the access tokens got from the SPA using getAccessTokenSilently() to authenticate my custom API, apparently, all are working. The function invokes with every new page refresh.

Also, the docs say…

By default, an access token for a custom API is valid for 86400 seconds (24 hours).

So I assume that’s why both are working. What will be the workaround if I don’t want the last token to remain to validate.

3

Hi @Karunamay,

Thanks for reaching out to the Auth0 Community!

First, you can manage your access token lifetime settings by going to your Auth0 Dashboard > Applications > APIs and clicking on your API. On the settings page, there is the option to configure the Token Expiration (Seconds) for your access tokens.

After doing so, you can control when the access token expires.

Note that when using the getAccessTokenSilently() method, you are using silent authentication which leverages the use of refresh tokens to refresh the user’s login session without prompting for credentials again.

In your case, using the getAccessTokenSilently() method would refresh the expiration of an access token that has access to a specific resource server (API).

Access tokens cannot be invalidated: they are designed to be self-contained, not requiring a check with Auth0 to validate, so there is no way to invalidate them.

For this reason, access tokens should have a short lifetime. [credit to John Gately’s post]

Given that, you could consider setting a low Token Expiration time for the access token while keeping the same refresh token expiration time. This way, you can selectively call silent auth to get a new access token to gain access to the API.

Hoped this addresses your concerns.

Please feel free to reach out if you have additional questions.

Thank you.