I’m considering updating to the PKCE auth flow, which is available in the latest version of the auth0-spa-js.
Can you confirm that this flow is not affected by the 24 hour hard limit on the “Token Expiration For Browser Flows” configuration variable? And, if so, what is the maximum session length I could configure - both active and inactive?
I Haven’t tested this but assuming the documentation is correct, auth code + PKCE is not subject to the fixed 24 hour expiration:
Max access token lifetime is 30 days, which can be extended indefinitely using a refresh token.
Session timeouts depend on whether your have an enterprise plan or not:
Very clear response. Thank you!