Best Practices to Secure Refresh Tokens. How to change OAuth2 Refresh Token Lifetime on Cloud (sugarondemand ... Best practices for expiration of tokens in a Security Token Service ... Conditional access and sign-in frequency - All about Microsoft Endpoint ... . SHOULD be time limited with a short lifetime of seconds or minutes. Show activity on this post. Best practice is to securely delete the old Refresh token when getting a new Refresh token. In some cases the best response to requirements . 1 Summary — NIST SP 1800-13 documentation Alternatively, distribute a JWT token and set an expiration time. Best Practices to Prevent Rate-Limiting - Salesforce Only after this, app2 obtains a new token via refreshToken that uses biometric login of the app under the hood and redirects a user on the screen added in the deep link. Configurable token lifetime properties. An in-depth look at refresh tokens in the browser This enables PKCE and refresh token support for browser applications. Best practices for FCM registration token management - Firebase PDF OAuth 2.0 best practices for developers - Pragmatic Web Security Best practice is to securely delete the old Refresh token when getting a new Refresh token. . However, in practice it doesn't seem to be the case because I was able to use the same refresh token that was generated 24 hours ago to request a new access token. Acceptance is assumed granted and tokens are issued. In Oauth2 when you get a token you also get an expires_in field that gives you the token lifetime in seconds. Now click on the Send button which will generate the access token along with the refresh token as shown below. If I understand best practices, JWT usually has an expiration date that is short-lived (~ 15 minutes). Step3: Select the Body Tab. A token lifetime policy is a type of policy object that contains token lifetime rules.