This document states the expiration of different types of tokens that are referenced in Auth0 documentation. Click here to learn more about the types of tokens.
The Management APIv1 Access Token
The default token expiration for APIv1 access tokens is 24 hours. For tokens issued for user defined APIs the expiration can be changed in the Auth0 Management API Settings section in the dashboard.
Auth0 Management APIv2 Token
The default token expiration for APIv2 access tokens is 24 hours. For tokens issued for user defined APIs the expiration can be changed in the Auth0 Management API Settings section in the dashboard.
Identity Provider Access Tokens
Since these tokens are created and managed by a third-party (such as Facebook, GitHub, etc) the validity period for third-party tokens will vary by the issuing IdP. If you believe these tokens have been compromised, you will need to revoke or reset them with the third-party that issued them.
Id Tokens Issued by Auth0
id_token issued by Auth0 is valid for 10 hours (36000 seconds) by default. The expiration of this token can be set in the Apps/APIs -> Settings screen using the JWT expiration field.
Auth0 Refresh Tokens
refresh_token never expires it is used to obtain a new
id_token which do expire. Refresh tokens must be stored securely by an application since they allow a user to remain authenticated essentially forever. If you think a refresh token may have been compromised, you can revoke or obtain a new token..
For customer application APIs registered in Auth0, the validity of a delegation token issued for that target is governed by the JWT Expiration (seconds) value. This is set for each application in Applications > Settings.
For APIs registered as Addons in Auth0, the validity period of the token will vary by individual Addon. The documentation available from the provider of any Addon API should be consulted for further information on tokens and expirations.