How to have long expiration access tokens for API access?

So I have an Angular SPA gaming website that allows users to store non-sensitive data on an API backed by MySQL. Users authorize with Auth0, simply so I can store and fetch their data separate from other users. Since I don’t store any sensitive information, I’m not very concerned about long lived tokens, and I would like to have my tokens last for weeks to months. I’m using the implicit grant method for my SPA

First I used the Angular Auth0 quickstart guide to enable authorization, and get an id token and access token, check. The access token is way too short to be a JWT and would not work with my PHP backend API, but I was able to checkJWT on the id token. Unfortunately the ID token only lasts 2 hours and after reading more documentation I learned that I should not be using the ID token for API access. (I get it, the id token could be altered and resigned by the client app, so it’s not trustworthy)

After more reading, I realized that I need to supply the API backend as the “audience” during authorization, after which I’m given a properly formed JWT access token I can use for API access. Great, but that access token only lasts a maximum of 24 hours.

Also the access token doesn’t have an “email” attribute, which is what I’m using as my user identification on my backend. Ok, I read that I can use the access token on the /userinfo endpoint to fetch profile information including the user’s email. Great.

Now all the queries to my API fail “Too many retries”? What? I’m rate limited to the /userinfo endpoint to 5 per minute?? Ok, that’s not the right solution. Ok I read up on rules… I can use rules to add attributes to the access token after authorization using rules. Ok, I can add the user.email attribute to my access token, and avoid the /userinfo endpoint.

Seems like I had to jump through a lot of hoops and make lots of mistakes to do very basic/standard authorization? And even with all this working, I’ve only managed to increase my token lifetime from 2 hours to 24 hours?

Can I go longer than 24 hours with implicit grant?

I guess the answer is that 24 hours is the max expiration.

Hello @ctung,

Access tokens for your API can have a lifetime of up to 30 days. You can also use refresh tokens to get essentially never ending access.

That is totally correct! You can read more about refresh tokens here:

How do I set my access token to 30 days? When I try setting it for more than 86400 I get this message:

image902×198 16.4 KB

The page you linked me says this:

image947×339 24.5 KB

So does this mean I’m using an “Access Token issued for accessing OpenID Connect”, when I should be using a different Access Token? How do I request an Access token that does allow for > 24 hours?

image627×614 19.7 KB

Also the refresh token is not supposed to be handled by SPA clients? So I can’t use a refresh token?

image922×90 7.69 KB

So I’m supposed to use Silent Authentication:

Which will return an access token if the user is logged in via SSO. What is the expiration time of an SSO session?