I talked to Ryan Chenkie, ex community advocate of auth0. In summary my learnings are:
- Increase your expiry time (which decreases security). I think best idea here is to be reasonable with how long one token is valid. I’m setting it to two months expiry so the users aren’t logged out too often. For sites with frequent visitors a much lower expiry should be fine I think this is on a case by case basis
- It’s best practice to only renew a token right when it expires, though theoretically there’s nothing stopping you from renewing the token ASAP as soon as the user visits your website (and their token hasn’t expired yet)