Management API Access Token FAQs
How long is the token valid for? The Management API token has by default a validity of 24 hours. After that the token will expire, and you will have to get a new one. Alternatively, if you get one manually from the API Explorer tab of your Auth0 Management API, you can change the expiration time. However, having non-expiring tokens is not secure.
The old way of generating tokens was better, since the token never expired. Why was this changed? The old way of generating tokens was insecure since the tokens had an infinite lifespan. The new implementation allows tokens to be generated with specific scopes and expirations. We decided to move to the most secure implementation because your security, and that of your users, is priority number one for us.
Can I change my token's validity period? You cannot change the default validity period, which is set to 24 hours. However, if you get a token manually from the API Explorer tab of your Auth0 Management API, you can change the expiration time for the specific token. Note though, that your applications should use short-lived tokens to minimize security risks.
Can I refresh my token? You cannot renew a Management API token. A new token should be created when the old one expires.
My token was compromised! Can I revoke it? You cannot directly revoke a Management API token; thus, we recommend a short validity period. Note that deleting the application grant will prevent new tokens from being issued to the application. You can do this either by using our API, or manually deauthorize the API application using the dashboard.
My Client Secret was compromised! What should I do? You need to change the secret immediately. Go to your Application's Settings, and click the Rotate icon, or use the Rotate a client secret endpoint. Note that previously-issued tokens will continue to be valid until their expiration time.