Various timeouts and expirations- please clarify

I have both an API and SPA defined for an Auth0 tenent. There are so many expiration fields in these 2 things that I don’t know what to use to achieve what I want.

My requirements are as follows:

  1. Users who login via my SPA should be forced to re-login every 4 hours (14400 seconds)
  2. API clients (excluding the SPA) should be given an access token that is valid for 5 minutes (300 seconds)

Please advise which settings out of the following I should use to implement these requirements:

  • In tenent settings (Advanced) : Inactivity timeout; Require login after
  • In the API’s settings : Token expiration; Token expiration for browser
  • In the SPA’s settings : ID token expiration; Refresh token lifetime; Refresh token reuse interval


The tenant settings inactivity timeout determines how often users have to log in. That is for your point 1.

In the API settings the field “Token Expiration” determines the acces token lifetime.


1 Like