whats the maximum expiresIn time that can be set to an access token in Apigee , besides infinity?

Not applicable

Can my access token created in Apigee exist for more than 30 days and odd? Rather what is the maximum span that I can add into expiresIn tag for access token

Solved Solved
0 4 1,082
1 ACCEPTED SOLUTION

Dear @dj1,

Yes, You can set expires in time to access token using ExpriresIn Element.

<ExpiresIn>10000</ExpiresIn> // 1000 milliseconds

Value is Any integer, including -1 (which indicates an infinite expiry time).

Enforces the expiry time of access tokens, refresh tokens, and authorization codes in milliseconds. The expiry time value is a system generated value plus the <ExpiresIn> value. If <ExpiresIn> is set to -1, the token or code is given an infinite lifetime. If <ExpiresIn> is not specified, the system applies a default value configured at the system level.

Cheers,

Anil Sagar

View solution in original post

4 REPLIES 4

Dear @dj1,

Yes, You can set expires in time to access token using ExpriresIn Element.

<ExpiresIn>10000</ExpiresIn> // 1000 milliseconds

Value is Any integer, including -1 (which indicates an infinite expiry time).

Enforces the expiry time of access tokens, refresh tokens, and authorization codes in milliseconds. The expiry time value is a system generated value plus the <ExpiresIn> value. If <ExpiresIn> is set to -1, the token or code is given an infinite lifetime. If <ExpiresIn> is not specified, the system applies a default value configured at the system level.

Cheers,

Anil Sagar

I did a smoke test and Apigee seems to be accepting it! But wanted to verify and be sure of this.

Thanks

Not applicable

Any specific reason you want your token to last that long. Why not re-authenticate? I am just trying to understand a usecase of longer access token expiry times. Please let me know.

Hello,

In my organisation after 2years I can see a pattern. Most of the internal business unit using our APIs do not implement a best practice. i.e. our "token_generater" API base on the credential is always called no matter if the token is still valid or not. That generate exponential calls to the particularly API.

Furthermore, we often have the question "Why we ca not have a long lasting either never expire token for internal business unit that we trust?"

We trying to educate the consumer to implement the code in a way, that you only make the call if the token is not valid... But that is not working for the last years...

What is the recommendation on this case?