Access token expiration
An access token should be expired in two cases. First, it should be expired on logout. Second, the access token should expire after a fixed amount of time, and this duration shouldn't be long. The reason for expiring a token is that it is safer to have an access token valid for less time. If we have many access tokens which are not in use, then there are more chances that those tokens can be misused.
The expiration period can be around two hours or less. Although it depends on how you want to implement it, a shorter expiration period is more secure. Expiration does not mean that the user will need to log in again, instead there will be a token refresh endpoint. That will be hit with the last expired token against a ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access