Token Expiration
Token expiration in an application determines the limited lifespan of authentication or access tokens issued to users. These tokens are typically used for authentication and authorization purposes. When a token expires, the user must re-authenticate to obtain a new token for continued access. This time-based mechanism enhances security by reducing the risk of unauthorized access if a token is compromised, and it ensures that user access remains under control. The token expiration period is set based your application's specific requirements and configuration.
Access Token
After successful verification, the user grants the authorization request and the authorization server generates an authorization code. The authorization server then redirects the user back to the application, and includes an authorization code in the redirect URL. Using the authorization code from the previous step, a request is sent to ID.me's Token Endpoint to retrieve the payload containing your access token and refresh token. Each token's expiration can be found in the payload.
This access token is set to expire shortly after it is issued. According to the OAuth 2.0 spec, it recommends a maximum lifetime of 10-minutes; however, most OAuth services, including ID.me, sets the authorization code’s expiration to a much shorter timeline for security purposes. ID.me access tokens are set to expire after 5-minutes (300 seconds).
Token Expiration
By default, ID.me sets the access token expiration time to 5-minutes after the token has been issued. However, this default expiration time can be shortened or lengthened by reaching out to your dedicated Solution Consultant. If you do not know who your dedicated Solution Consultant is, please contact [email protected].
Please note that an access token can only be used once. If a client tries to use the access token more than once, the server will deny the request and revoke the token.
If you would like to learn more about how ID.me leverages the access token through the OAuth 2.0 flow, please see our OAuth 2.0 integration guide.
Refresh Token
In order to secure your applications, ID.me encourages you to maintain the 5-minute token expiration. The risk of damage is high if an access token for a sensitive application is compromised, so it is important to minimize that threat by expiring all tokens. If there is a need to generate another token, you can utilize the refresh token which is included in the token payload. The refresh token allows you to generate another access token without asking the user to re-authenticate. By default, ID.me sets the refresh token expiration time to 7-days (10080-minutes). However, this default expiration time can be shortened or lengthened by reaching out to your dedicated Solution Consultant. If you do not know who your dedicated Solution Consultant is, please contact [email protected].