Skip to content
  • Build on Kinde
  • Tokens

Configure token and session expiry

Tokens are an essential part of keeping your application secure. They enable the continued verification of users and applications (including APIs), and are a mechanism for detecting unauthorized intruders.

Tokens need to be updated and refreshed to remain secure, which is why you need to set how long a token lasts, for each token type.

Define the lifetimes

Link to this section

You can define the lifetime (expiry time) of ID tokens, access tokens, and refresh tokens.

Authenticated sessions can also be time limited. For example, you can define how long a session lasts without user activity. This is also called the session inactivity timeout.

Expiry and timeouts are usually defined in seconds - where 3,600 seconds is one hour and 86,400 seconds is one day.

Tokens and sessions need to be configured per application.

Set token lifetimes

Link to this section
  1. Go to Settings > Environment > Applications.
  2. Select View details on the application tile.
  3. Select Tokens in the side menu.
  4. For each token type, set the expiry time in seconds. 3,600 seconds is one hour; 86,400 seconds is one day.
  5. Select Save.

Token security

Link to this section

Tokens can be vulnerable to security breaches. Access tokens in particular contain sensitive information, and these tokens can be used to access systems.

Refresh tokens can be used to reduce some of this risk as they can be used to get new access tokens. However, refresh tokens are also a security risk for the same reason they are useful.

To mitigate risk, we recommend using Automatic Reuse Detection and Refresh Token Rotation.

You can revoke access tokens and refresh tokens via the Kinde Management API. Search the Kinde API docs.