Native app expires_at value is always 12 or 24 hours

When I login to my native Android application using Auth0, the expires_at value from the Credentials object is always:

  • 12 hours, when the scope does not include offline_access
  • 24 hours, when the scope does include offline_access

However, this is despite me setting the ID token and access token to both be 60 seconds.


However, this is not the only issue. When I receive the tokens and decode them, the ID token does expire in 60 seconds but the access token expires in 1 hour - not the 60 seconds that was stated in the Auth0 Management API.

This is causing an issue with our setup as our developers looking after our Auth0 configuration are setting it as we want, but our native apps are not receiving those values

  1. Why does the access token expiry not follow what I’ve put in the Auth0 Management API

  2. Why does the expires_at value in the Credentials object default to 24 or 12 hours, which is very far off the 60 seconds that we want?

Hi @sb.bt

Welcome to the Auth0 Community!

Are you requesting Management API tokens? The token expiry you set in your API settings only applies to tokens issued for that API. Keep in mind, the Management API =/= the Authentication API.

This may be controlled by Configure Session Lifetime Settings.

Hi @dan.woda,

Thanks for your quick reply to my issue.

So I was following this documentation to set the access token expiry, which is why I thought Auth0 Management Api (which was the default API when I created the application).

If this is wrong, can you provide more insight into how to get access to the Authentication API.

The documentations (this and this) state it is really simple to change the expiry of the id and access tokens, but only id token is adhered to.

That said, even though access token comes back with 1 hour expiry, the SDK gives back 24 hours. Unfortunately after changing the value in Configure Session Lifetime Settings, the expires at value still comes back as 24 hours.

Tokens are issued to specific APIs (resource servers), determined by the audience you include with your request initial request to authorize.

A good place to start would be; What are doing with your access tokens?

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.