Authorization Duration

Authorization duration in your application determines the period of time during which a user's granted access or permissions remain valid. It determines how long an authorization, such as an authorization code or grant, remains active before the user needs to re-authenticate or reauthorize their access. The duration can vary depending on the application's security and user experience requirements and can range from minutes to 24 hours. It's a critical aspect of security and user convenience in managing access to application features and data.

Authorization Code Duration

After successful verification, the user grants the authorization request and the authorization server generates an authorization code. The authorization server then redirects the user back to the application, and includes an authorization code and, if applicable, the application’s “state” value to the redirect URL.

This authorization code has an expiration time set to shortly after it is issued. According to the OAuth 2.0 spec, it recommends a maximum lifetime of 10-minutes; however, most OAuth services, including ID.me, sets the authorization code’s expiration to a much shorter timeline for security purposes.

Authorization Grant Duration

By default, ID.me sets the authorization grant expiration time to 5-minutes after the authorization grant has been issued. However, this default expiration time can be shortened or lengthened by reaching out to your dedicated Solution Consultant. If you do not know who your dedicated Solution Consultant is, please contact [email protected].

Please note that an authorization grant can only be used once. If a client tries to use the authorization code more than once, the authorization server will deny the request and revoke all tokens previously issued based on that authorization code.

If you would like to learn more about how ID.me leverages the authorization code through the OAuth 2.0 flow, please see our OAuth 2.0 integration guide.

Authorization Code & Authorization Grant Duration Configuration

Please contact your dedicated Solution Consultant or [email protected] to change the authorization grant and code duration in ID.me