Set Access Token Lifetime
You control the Access Token lifetime on a per-API basis. Increase or decrease the validity period based on the security requirements of each API.
To configure the amount of time a token lives, use the Token Expiration (Seconds) field for your API in the Dashboard APIs section.
- Default value:
- Maximum amount of time (in seconds) that the token can be valid after being issued:
Regain access after an Access Token expires
Once expired, an Access Token can no longer be used to access an API. To regain access, a new Access Token needs to be obtained. This can be done by repeating the OAuth flow used to obtain the initial Access Token.
Use a Refresh Token to gain permanent access to an API
In some situations, it is desirable to have permanent, ongoing access to an API without having to repeat an OAuth flow. This is often referred to as
offline_access, and is possible with the use of a Refresh Token.
A Refresh Token is issued from the OAuth 2.0 endpoints along with the Access Token. When the Access Token expires, the Refresh Token can be used to obtain a fresh Access Token with the same permissions, without further involvement from a user.
Note that offline access is enabled as a policy of the API to which the Access Token grants access. This is a setting that can be altered in the Dashboard in the APIs section. If the API does not permit offline access, a Refresh Token will not be issued. In such circumstances, the OAuth flow must be repeated in order to obtain a new Access Token.
Revoking Access Tokens not supported
Auth0 recommend that you set the validity period of the token according to the security requirements of the API. For example, an Access Token that accesses a banking API should expire more quickly than one that accesses a ToDo API.