Problem statement
I’m seeing that the access token expiration can be set in the API configuration settings.
However, is it possible to have different expirations for Regular Web Applications going through the Authorization Code Flow versus Machine to Machine apps going through client credentials?
We would like users logging into the application to have to log in again each day, but we want our machine-to-machine tokens to last a week.
Solution
Currently, there are two separate values you can set within your API configuration settings to adjust the access token lifetime (expiration time), which are outlined below:
- Token Expiration (Seconds) - This is the default setting that will apply to all tokens issued in flows not captured by the below setting.
- Token Expiration For Browser Flows (Seconds) - This setting will adjust the access token lifetime for tokens issued for the API via implicit and hybrid flows
Unfortunately, this does mean you are not currently able to set a different expiration for authorization code and client credential flows, as these are both captured under the first expiration setting outlined above.
If you require this functionality, the recommendation would be to configure two separate APIs in Auth0, one for your M2M application and one for your user-facing application. The API you build would need to be configured to accept both kinds of tokens (as they would have different audiences).