Best practices on long-lived refresh tokens?

Not applicable

We're thinking of bumping the lifetime of our Apigee refresh tokens from 1 day to 6 months to simulate a "always signed on" experience for our end users. What are the security best practices around such long-lived refresh tokens? (Secure cookie attributes, ReuseRefreshToken, custom theft detection and revocation, etc.?)

2 0 725
0 REPLIES 0