Data API access & refresh token lifetimes

Learn about the default lifetimes of access and refresh tokens.

Updated over a week ago

Introduction

To query authenticated requests, the Data API works with tokens. An access token grants you to access certain data (based on the roles and permissions of your application). A refresh token is used to request a (new) access token. Both Data API tokens are Json Web Tokens based. Here you can find the official JWT introduction link: JWT.IO - JSON Web Tokens Introduction.

Maximum and minimum lifetimes

  • Access token

    • Maximum lifetime = 10800 seconds (3 hours)

    • Minimum lifetime = 60 seconds (1 minute)

  • Refresh token:

    • Maximum lifetime = 1209600 seconds (336 hours, 14 days)

    • Minimum lifetime = 60 seconds (1 minute)

How to overwrite the defaults?

You can overwrite the default values in the Authentication Profiles settings to extend the token lifetimes. When you exceed the maximum lifetime, you will get an error message returned. There is no option to exceed the maximum values.

Best practices?

  • Keep both token lifetimes as “short as possible”. Making it longer makes it more interesting to "steal a token".

  • Don’t abuse Json Web Tokens as “sessions”. It is not the same.

  • Determining the lifetime values is always a balance between User experience and Security. If you lower the lifetimes, your end-users might have to login more often. If you exceed the lifetimes to provide a better UX, the security risks are increasing. If you’ll need the latter, our advise is to keep the access token lifetime as short as possible and exceed the refresh token lifetime. Refresh tokens may have higher lifetimes because they can only be used once and can only be requested when you are authenticated. However, best practice is to keep them both as short as possible.

Did this answer your question?