How long is a code valid for exchanging with tokens?

We have an OIDC callback that receives the code via a query param. We then call the Auth0 oauth/token API to exchange the code for tokens.

I can see that the code appears to be a single-use code. The second call to the token endpoint with the same code gives an error.

But if I don’t use the code at all, how long will it be valid for before it times out and can no longer be used for exchange?


Hi @djones,

Welcome to the Auth0 Community Forum!

I can’t find a specific time, but according to the spec:

The authorization code generated by the
authorization server. The authorization code MUST expire
shortly after it is issued to mitigate the risk of leaks. A
maximum authorization code lifetime of 10 minutes is

Hope this helps,

Thanks Dan, that was very helpful.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.