Event Stream Webhook needs a Bearer Token. We are planning on using a M2M application defined in Auth0 that will be associated with an API to generate the token for us. How do you go about setting the token expiration to be long-lived or no expiration? Is this the correct approach?
Hi @jquerijero,
Welcome back to the Auth0 Community!
Unfortunately you can not set the token expiration to a ‘no expiration’ timeframe, which would also not be considered best practice, but you can set the maximum expiration time to 30 days, which should be considered long enough for your M2M application. This is highlighted in the following documentation - Update Access Token Lifetime, which also provides the steps needed to set it up. So even with a long lifetime, you should then handle the token expiration, and renew if before it expires by checking the exp claim from the decoded token.
I hope this helps!
Best regards,
Remus
Is there a feature for Event Stream Webhook to make it so that Auth0 sends a default bearer token? This way we can still use Auth0 as the authenticator/token validator. Something similar to Microsoft Entra SCIM implementation where it sends a default M2M bearer token.
Hi @jquerijero,
Unfortunately Auth0 does not provide such a feature, since as mentioned in the previous post as well and for security reasons the maximum lifetime of the token issued from the Auth0’s side would be 30 days.
However this scenario applies to the Bearer Authentication Method for creating an event stream via webhooks, or by explicitly creating it via the Management API. You also have the option of choosing “Basic” as an Authentication Method if you choose to create the event stream webhook directly from the Auth0 Dashboard, which is static and only requires using a username and password, as detailed here - Create an event stream (webhooks).
Thanks,
Remus
For the shake of discussion of using a default generated bearer token, since the authenticator used by the resource server is Auth0 itself, can Auth0 create/refresh that token upon trigger of the Webhook if needed? This way Auth0 can still enforce lifetime limit and the integration is easier to implement.