Hi Everyone,
We have implemented the OAuth 2.0 but the default expiry time for the token returned in the response is 3600 sec i.e 1 Day. Is there a way we can extend this time through API or can be configured by the admin?
3600 sec i.e 1 Day
I think that is actually one hour.
Is there a way we can extend this time through API or can be configured by the admin?
There is not; because this is a security setting.
However, this feels like the wrong question: with refresh tokens, why do you even mind what the expiry time on the token is? What is the core problem that you are trying to solve?
1 Like
Hi @Faizanulhaq,
Building on @rmassaioli’s response (an I apologise in advance if you know this already), there are two types of tokens - refresh tokens and access tokens. Refresh tokens are used to generate new access tokens - they are not used to make regular API calls. Access tokens are used to make API calls. It’s important to protect both types of tokens, but the limited validity period of access tokens is an additional risk mitigation factor. We don’t want to extend the validity period because it increases the period in which a compromised token can be used. There also shouldn’t be any need to increase their validity period since your API calls should be made using generic code that checks the latest access token and requests a new one (using the refresh token) if it is stale.
Regards,
Dugald
2 Likes