Configuring Email Templates for Access Token Expiration (2024)

FAQs

How to set access token expiration time? ›

Best practice

Set the expiration time for refresh tokens in such a way that it is valid for a little longer period than the access tokens. For example, if you set 30 minutes for access token then set (at least) 24 hours for the refresh token.

If you attempt to use an expired token, you'll receive a "401 Unauthorized HTTP" response. When this happens, you'll need to refresh the access token. You shouldn't request a new token for every API call made, as each token is good for an hour and should be reused.

Access tokens: varies, depending on the client application requesting the token. For example, continuous access evaluation (CAE) capable clients that negotiate CAE-aware sessions will see a long lived token lifetime (up to 28 hours). ID tokens, SAML2 tokens: 1 hour.

To verify that your expiration time is correct, you can look at the exp and iat claim of your access token. Then you can perform the following calculation: Token expiration (in seconds) = exp (Expiration time in seconds) - iat (Issued at in seconds)

Access token lifetime

generateAccessToken method to create the token. This method enables you to choose the lifetime of the token, with a maximum lifetime of 12 hours. If you want to extend the token lifetime beyond the default, you must create an organization policy that enables the iam.

Refresh tokens have a longer lifetime than access tokens. The default lifetime for the refresh tokens is 24 hours for single page apps and 90 days for all other scenarios. Refresh tokens replace themselves with a fresh token upon every use.

The refresh token is a second token that can be used to replace an expired access token with a fresh one, without the need to perform the dance again. Unfortunately, there is no enforced standard that the SDK can use to automatically detect a token expiration scenario and obtain a new one.

If a refresh token is compromised (someone else got their hands on it or, even worse -- steals it), the individual would not only gain access to the resources provided by the API but also the amount of time the access has been granted would be more. Now that's a dreadful scenario for developers and users alike.

To refresh your access token and an ID token, you send a token request with a grant_type of refresh_token . Be sure to include the openid scope when you want to refresh the ID token. If the refresh token is valid, then you get back a new access token, a new ID token, and the refresh token.

What happens when a personal access token expires? ›

When a token has expired or has been revoked, it can no longer be used to authenticate Git and API requests. It is not possible to restore an expired or revoked token, you or the application will need to create a new token.

You can refresh access and ID tokens using the /token endpoint with the grant_type set to refresh_token . Before calling this endpoint, obtain the refresh token from the SDK and ensure that you've included offline_access as a scope in the SDK configurations.

You can configure token lifetimes in the Azure portal. Go to the Azure portal. In "Azure Active Directory" > "Security" > "Authentication methods" > "Authentication methods blade" > "Token Lifetime Policies". you can configure the lifetime of access tokens, refresh tokens, and ID tokens.

Unfortunately, there is no option to find the expiration time for the refresh token, because it is depending on authorization server and the type of client application, and it is not communicated to the client. In the Microsoft identity platform, the default lifetime for refresh tokens is 90 days.

When you create a personal access token, we recommend that you set an expiration for your token. Upon reaching your token's expiration date, the token is automatically revoked.