Auth0 Home Blog Docs

Properly expiring tokens

Hi all, I’m hoping you can help me out.

I’m using the Auth0 SPA JS NPM package (v1.6) to connect my AngularJS (v1) front end to an API. Things are mostly working as expected, but I’ve run into an issue with token expiration.

Essentially, if someone hasn’t done anything in about 20 minutes, I’d like them to be logged out.

I’ve set up my API’s token expiration to be 300s (5 minutes), and the application’s JWT expiration to 1200s (20 minutes). After 300s, I get a 401 response from my API (as expected), and am able to get a new token via getTokenSilently (also as expected).

However, when I came into work this morning, I was still able to get a new token via getTokenSilently. My understanding is that it should have failed, as I was past the JWT expiration time.

What am I doing wrong and/or missing?

Hi mattgrande,

Check out the session lifetime here:

John

1 Like

That’s perfect, John, thank you! Just updated my session time out settings, navigated to my test environment, and I was logged out, as expected.

Glad we were able to help @mattgrande!