So, basically we want our web clients to have a token timeout of 30 minutes and our M2M tokens to have a timeout of 1 day.
The problem: when we log in using the web flow it uses the token lifetime value for our web tokens. We were surprised as there is a configuration value specifically for web.
Is there some way to get our React app to use tokens with a lifetime shorter than the token lifetime used by M2M applications?
So, wondering then, how can we have different token lifetimes for our M2M tokens and our PKCE tokens? Is that not possible?
We have security requirements for our web facing applications, but we don’t want to burn tons of M2M tokens as we have a monthly quota to try and stay under.
I don’t think this is possible easily - the token expiration is associated with the API, not the application.
You CAN do this by defining two different APIs in Auth0, one for the M2M application and one for the user facing app. Your actual API would then have to accept both kinds of tokens (they would have different audiences, but the same signing keys)