Refresh Token Absolute Expiration Clarification Needed

Hi,

We’re using Auth0 in Android Mobile App.

We have enabled Rotating Tokens with an Absolute Expiration of 2592000, And access Token Expiration of 2592000, so now my doubt is if I request an access token after let’s say 40 days, will the existing refresh token is valid to fetch a new access token or it is valid within 30 days?

Because our user might not use the app for an extended period like between a month to 3 months, so in this case is it always better to set Absolute Expiration time more than Access Token Expiration time? and whats the max time limit for absolute expiration time

Hello,

If you have enabled rotating tokens in Auth0 with an absolute expiration of 2592000 seconds (30 days) and an access token expiration of 2592000 seconds, the existing refresh token will still be valid to fetch a new access token after 40 days. The refresh token is not tied to the access token’s expiration time.

Setting the absolute expiration time longer than the access token expiration time is indeed a good practice in scenarios where users might not use the app for an extended period. It allows them to continue using the app without being prompted to re-authenticate.

The maximum time limit for the absolute expiration time depends on the specific configuration and policies of your Auth0 implementation. It’s recommended to consult the Auth0 documentation or reach out to their support for precise information regarding the maximum allowed value for the absolute expiration time in your setup.

Best regard,
tedmalonet62344

Thank you so much,

can we set like 3 or 6 months for the refresh token lifetime? One thing, currently for most of our existing users refresh token has expired, if we update the refresh token lifetime in configuration now, will they still be to log in with already existing expire refresh tokens?