Session Idle Timeout and Access Token Interactions

ptidwell · February 13, 2026, 6:58pm

I want to double check my understanding of how session idle timeout works.

Using the api.session.setIdleExpiresAt to expire in 15 minutes, my session is correctly terminated if the SPA app requests a new access token after 15 minutes.

However, from the user’s perspective, they have been busy interacting with the application using their access token that has a 1-hour lifespan. They would be surprised to learn they were logged out because they were inactive.

I can force interactions with the Auth Servier (Auth0) more frequently if I set the lifespan of the access token to 15 minutes, then the api.session.setIdleExpiresAt will run again presumably a few seconds before the expires time is reached and so the new token will be issued. But it is probably best to make the access token lifespan a safe age under 15 minutes.

For a 15 minute session idle time, does Auth0 recommend a 10 minute access token? This would ensure an active user would trigger an interaction with Auth0 before the 15 minute session expiration is reached. Is there concern that the traffic load on Auth0 would increase appreciably should a 10 minute access token become the norm?

nik.baleca · February 16, 2026, 7:00pm

Hi @ptidwell

Welcome back to the Auth0 Community!

For a 15 minute session idle time, does Auth0 recommend a 10 minute access token?

Yes, regarding the best practices that Auth0 recommends, short lives tokens are the standard practice. Anything below 30 minutes should be acceptable in regards to “a short lived token”, that depending on your use-case. It is generally recommended to have a shorter lifetime for the Access Token, meaning that for your approach of 10 minutes and 15 for the Session is great.

Is there concern that the traffic load on Auth0 would increase appreciably should a 10 minute access token become the norm?

No, this should not be an issue since it is a standard practice expected by the platform itself and the increase itself is negligible in regards to the security and user experience benefits.

If you have any other questions, let me know!

Kind Regards,
Nik

ptidwell · February 17, 2026, 4:43pm

Nik, thanks for confirming my understanding and providing reassurance that our approach is the correct one.

system · March 3, 2026, 4:44pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to Increase Session Duration When ID Token Lifetime Is 30 Seconds Get Help access-token , sessions	2	113	April 29, 2025
Access token minimum expiration time Get Help access-token	2	6960	August 2, 2019
Nextjs rolling session Get Help	4	4685	December 18, 2021
Access token remain active during session Get Help access-token	2	4454	March 2, 2018
How to extend user session and API access token while user is active? Get Help sessions , authentication-sessions	0	1426	February 14, 2023

Session Idle Timeout and Access Token Interactions

Related topics