JWT-Authentication icon indicating copy to clipboard operation
JWT-Authentication copied to clipboard

Published 20 hours ago verified publisher icon WebDevSimplified

Should refresh token have expiration time ?

Open emmanuel-D opened this issue 4 years ago • 2 comments

Hey Kyle, I have followed your tutorial on YouTube and also implemented some logic like you using JWT but in Java with the Framework Spring-Boot. I am working on a mobile app like Twitter and I would like to know if refresh-tokens should have an expiration time or are there valid forever ?

emmanuel-D avatar Nov 29 '20 16:11 emmanuel-D

@emmanuel-D indeed they should have an expiration time just like normal jsonwebtokens. If it doesn't expire, any malicious person who gets it has access to a user account.

JosiasAurel avatar Dec 06 '20 06:12 JosiasAurel

It is usually recommended to be 84600 seconds or 24 hours due to the fact users won't like to sign-in every 15-30 minutes.

StoyanovDenislav avatar Oct 09 '23 20:10 StoyanovDenislav