Tokens are an essential part of keeping your application secure. They enable the continued verification of users and applications (including APIs), and are a mechanism for detecting unauthorized intruders.
Tokens need to be updated and refreshed to remain secure, which is why you need to set how long a token lasts, for each token type.
You can define the lifetime (expiry time) of ID tokens, access tokens, and refresh tokens.
Authenticated sessions can also be time limited. For example, you can define how long a session lasts without user activity. This is also called the session inactivity timeout.
Expiry and timeouts are usually defined in seconds - where 3,600 seconds is one hour and 86,400 seconds is one day.
Tokens and sessions need to be configured per application.
- Go to Settings > Environment > Applications.
- Select View details on the application tile.
- Select Tokens in the side menu.
- For each token type, set the expiry time in seconds. 3,600 seconds is one hour; 86,400 seconds is one day.
- Select Save.
Tokens can be vulnerable to security breaches. Access tokens in particular contain sensitive information, and these tokens can be used to access systems.
Refresh tokens can be used to reduce some of this risk as they can be used to get new access tokens. However, refresh tokens are also a security risk for the same reason they are useful.
To mitigate risk, we recommend using Automatic Reuse Detection and Refresh Token Rotation.
You can revoke access tokens and refresh tokens via the Kinde Management API. Search the Kinde API docs.
Build on Kinde