I have both an API and SPA defined for an Auth0 tenent. There are so many expiration fields in these 2 things that I don’t know what to use to achieve what I want.
My requirements are as follows:
- Users who login via my SPA should be forced to re-login every 4 hours (14400 seconds)
- API clients (excluding the SPA) should be given an access token that is valid for 5 minutes (300 seconds)
Please advise which settings out of the following I should use to implement these requirements:
- In tenent settings (Advanced) : Inactivity timeout; Require login after
- In the API’s settings : Token expiration; Token expiration for browser
- In the SPA’s settings : ID token expiration; Refresh token lifetime; Refresh token reuse interval
Thanks