How to have long expiration access tokens for API access?

So I have an Angular SPA gaming website that allows users to store non-sensitive data on an API backed by MySQL. Users authorize with Auth0, simply so I can store and fetch their data separate from other users. Since I donā€™t store any sensitive information, Iā€™m not very concerned about long lived tokens, and I would like to have my tokens last for weeks to months. Iā€™m using the implicit grant method for my SPA

First I used the Angular Auth0 quickstart guide to enable authorization, and get an id token and access token, check. The access token is way too short to be a JWT and would not work with my PHP backend API, but I was able to checkJWT on the id token. Unfortunately the ID token only lasts 2 hours and after reading more documentation I learned that I should not be using the ID token for API access. (I get it, the id token could be altered and resigned by the client app, so itā€™s not trustworthy)

After more reading, I realized that I need to supply the API backend as the ā€œaudienceā€ during authorization, after which Iā€™m given a properly formed JWT access token I can use for API access. Great, but that access token only lasts a maximum of 24 hours.

Also the access token doesnā€™t have an ā€œemailā€ attribute, which is what Iā€™m using as my user identification on my backend. Ok, I read that I can use the access token on the /userinfo endpoint to fetch profile information including the userā€™s email. Great.

Now all the queries to my API fail ā€œToo many retriesā€? What? Iā€™m rate limited to the /userinfo endpoint to 5 per minute?? Ok, thatā€™s not the right solution. Ok I read up on rulesā€¦ I can use rules to add attributes to the access token after authorization using rules. Ok, I can add the user.email attribute to my access token, and avoid the /userinfo endpoint.

Seems like I had to jump through a lot of hoops and make lots of mistakes to do very basic/standard authorization? And even with all this working, Iā€™ve only managed to increase my token lifetime from 2 hours to 24 hours?

Can I go longer than 24 hours with implicit grant?

I guess the answer is that 24 hours is the max expiration. :slightly_frowning_face:

Hello @ctung,

Access tokens for your API can have a lifetime of up to 30 days. You can also use refresh tokens to get essentially never ending access.

That is totally correct! You can read more about refresh tokens here:

How do I set my access token to 30 days? When I try setting it for more than 86400 I get this message:

The page you linked me says this:

So does this mean Iā€™m using an ā€œAccess Token issued for accessing OpenID Connectā€, when I should be using a different Access Token? How do I request an Access token that does allow for > 24 hours?

Also the refresh token is not supposed to be handled by SPA clients? So I canā€™t use a refresh token?

So Iā€™m supposed to use Silent Authentication:

Which will return an access token if the user is logged in via SSO. What is the expiration time of an SSO session?