Auth0 Home Blog Docs

Why are there different expiration periods for access tokens vs. id tokens?

access-token
id-token

#1

In the Auth0 control panel, it’s possible to set different expiration periods for access tokens and id tokens.

For access tokens, you’d go under APIs >> Settings >> Token Expiration (seconds)
For id tokens, you’d go under Applications >> Settings >> JWT Expiration (seconds)

Why have different expiration periods?

No matter which token expires first, I’d simply call the auth0.js library’s checkSession() method, which would renew both tokens anyways.


#2

The audiences of the ID Token and the Access Token are different.

  • The ID Token has information about the authentication process and the user information, and is meant to be consumed by the client requesting the token.
  • The Access Token, on the other hand, is meant to be consumed by the protected resource (the backend API).

Different expiration times just give you flexibility and helps you choose a good compromise between security and convenience.

The checkSession token renewal is kind of tangential to the token duration. checkSession will only work as long as the user didn’t log out of the identity provider, and the checkSession request involves the authorization server (Auth0). This means that the server can potentially deny a token renewal in some cases (e.g. if a user was blocked, or a rule that limit access based on certain context information, for instance).