Infinite token

[jaimecuellar14]

I would like to know if there is a way to have an infinite token, so I dont have to refresh the expiration time.
Thanks.

[tuupola]

I think if you leave out the exp claim token will never expire.

[jaimecuellar14]

Just like this?

`$payload = [
            	"iat" => $now->getTimeStamp(),
            	"jti" => $jti,
            	"sub" => $server["PHP_AUTH_USER"]
        	];`

[thiagok]

Is this a good way to use? I mean, for me it's confuse to request user/pass to get a token every request for my api.

Can I generate an API Token for my user without exp and use for ever?

[ItsBasvanDam]

@thiagok Even if you technically could, I would argue that you should not. Think about it like this: if you provide a user with an infinitely lasting token, how would you remove access for that token in the future if you needed to? As far as I know, the only way would be to change your application secret, something that would impact all users by invalidating every single token.

Furthermore, I think there is no good reason to hand out infinitely lasting tokens. Having an expiry date (even if it is a year) guarantees nobody will be able to abuse your services infinitely.