How do SPA access token expires when used against custom API to authenticate

Hi @Karunamay,

Thanks for reaching out to the Auth0 Community!

First, you can manage your access token lifetime settings by going to your Auth0 Dashboard > Applications > APIs and clicking on your API. On the settings page, there is the option to configure the Token Expiration (Seconds) for your access tokens.

After doing so, you can control when the access token expires.

Note that when using the getAccessTokenSilently() method, you are using silent authentication which leverages the use of refresh tokens to refresh the user’s login session without prompting for credentials again.

In your case, using the getAccessTokenSilently() method would refresh the expiration of an access token that has access to a specific resource server (API).

Access tokens cannot be invalidated: they are designed to be self-contained, not requiring a check with Auth0 to validate, so there is no way to invalidate them.

For this reason, access tokens should have a short lifetime. [credit to John Gately’s post]

Given that, you could consider setting a low Token Expiration time for the access token while keeping the same refresh token expiration time. This way, you can selectively call silent auth to get a new access token to gain access to the API.

Hoped this addresses your concerns.

Please feel free to reach out if you have additional questions.

Thank you.