Auth0 Home Blog Docs

What are the maximum and default ttl_sec values for "Create a password change ticket"?



What are the maximum and default ttl_sec values for “Create a password change ticket” management API endpoint?

I’ve read the area of the docs:!/Tickets/post_password_change
and for ttl_sec it says “The ticket’s lifetime in seconds starting from the moment of creation. After expiration the ticket can not be used to change the users’s password. If not specified or if you send 0 the Auth0 default lifetime will be applied”, but it doesn’t say what the default is, or if there is a maximum value that we can specify.

What is the default that’s used if it’s not specified?
Is there an upper limit on the value we can specify?


In relation to the maximum value to my knowledge there does not seem to be a hard limit that would be useful to document; I tried with the equivalent of 5000 days and it was accepted.

For the default lifetime, if I checked things correctly then it’s five days, however, I also asked the documentation team to review the documentation for that endpoint and to consider including the default value in the docs themselves.


We have also found this answer, which agrees with the default value of 5 days, but suggests that it is editable per tenant:
In any case, clarifying this in the documentation would be an improvement.


To my knowledge that setting would allow to change the value used when not using the ticket endpoint explicitly; for example, when the end-user requests a reset password it would use the value you configured there. For the tickets endpoint, personally, I would just prefer to send the value every time and not even bother with the default behavior.