Implement session inactivity timeout

I want to Implement the session inactivity timeout by Rules.
All our requests go to the “userInfo” endpoint. I need to save somewhere the timestamp of the previous userInfo request and run the rule at every new “userInfo” request to validate the saved timestamp and the user domain (can be taken from “”).
Is it possible accomplish that by the Rules?

Hi @mbabayev , welcome to the community!

Is there a reason you couldn’t use the built in session inactivity lifetime settings? If you are currently only getting access tokens for the userinfo endpoint, you could register a custom API within Auth0 and configure the lifetime for Access tokens to something much shorter and appropriate for your use case?

By setting your custom API’s identifier as the audience and a scope of openid in the /authorize requests, you can retrieve an access token that can be used against /userinfo and control its lifetime : Get Access Tokens
Once the user’s session expired from inactivity, they could no longer get a new Access Token and would have until their most recent token’s expiry was reached to call /userinfo

IMO this would be a cleaner solution than attempting something similar via rules.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.