|Refresh Token Lifetime||0||any non-zero value||Recommendation : Keep refresh token lifetime long ideally 3 months or more.|
|Refresh Token Unit||never||never, days, or months||If value is never then refresh token never expires.|
|Access Token Lifetime||12||any non-zero value||Recommendation : Keep access token lifetime short|
|Access Token Unit||hours||minutes, hours, days||Recommendation: Keep access token lifetime short|
|Access Token Type||jwt||jwt, opaque||Currently we only allow use of JWT based access tokens.|
|Signing Algorithm||RSA Signature with SHA-256||RSA Signature with SHA-256, ECDSA using P-256||Signing algorithm for jwt-based access token. Refresh token is opaque string so no signing required.|
|Allowed claims||List of claims allowed to be included in the issued access token.|
- In Axioms, Access tokens are JWT-based and signed by signing algorithm. Axioms allow only one signing algorithm per tenant to support federation.
- Multiple resources (APIs) registered in a tenant can use same access token as long as token audience value includes resource identifier or resource endpoint.
- Refresh token are opaque and generally long-lived. Refresh tokens can be revoked by user any time from their hosted profile pages.
JWT Token Options
Tenant and then find
JWT Token Options panel under
Tenant Settings tab. Change JWT token options and click