-
Notifications
You must be signed in to change notification settings - Fork 139
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Infinite token #137
Comments
I think if you leave out the exp claim token will never expire. |
Just like this?
|
Is this a good way to use? I mean, for me it's confuse to request user/pass to get a token every request for my api. Can I generate an API Token for my user without |
@thiagok Even if you technically could, I would argue that you should not. Think about it like this: if you provide a user with an infinitely lasting token, how would you remove access for that token in the future if you needed to? As far as I know, the only way would be to change your application secret, something that would impact all users by invalidating every single token. Furthermore, I think there is no good reason to hand out infinitely lasting tokens. Having an expiry date (even if it is a year) guarantees nobody will be able to abuse your services infinitely. |
I would like to know if there is a way to have an infinite token, so I dont have to refresh the expiration time.
Thanks.
The text was updated successfully, but these errors were encountered: