By default, the session timeout is for 100 days.
This means that a user will get logged out only after 100 days of inactivity. To put this another way, if a user is active even once in a 100 days (after the access token expires), their session's lifetime is extended by another 100 days.
This value can be changed by:
- Changing the
refresh_token_validityvalue (time in mins): Determines the overall session timeout.
- The default is 100 days.
- Changing the
access_token_validityvalue (time in seconds): Does not affect the overall session timeout, but affects how often session refreshing occurs.
- The default is 1 hour.
- This time does not determine the user experience, but only the security of the overall session system.
docker run \ -p 3567:3567 \ -e REFRESH_TOKEN_VALIDITY=<Default: 144000> \ -e ACCESS_TOKEN_VALIDITY=<Default: 3600> \ -d supertokens/supertokens-<db name>
# You need to add the following to the config.yaml file.# The file path can be found by running the "supertokens --help" command refresh_token_validity: # Default 144000 access_token_validity: # Default 3600
- Navigate to your SuperTokens managed service dashboard, and click on the Edit Configuration button.
- In there, change the values of the following fields, and click on save.
refresh_token_validity: # Default 144000 access_token_validity: # Default 3600
We recommend keeping the
access_token_validity as small as possible because:
- If they are stolen, then token theft detection can only occur after the access token expires.
- If the session is revoked, and the user somehow still has their access token, they will be able to query the APIs until it expires (unless you switch on access token blacklisting).