M2M token expiry and refresh
Hey
- is it possible to (even though its advised not to) set the exipiry for m2m tokens to "never expire"?
- if i get a new m2m token per api call, will that impact the billing?
12 Replies
Hey @Stian - Fartskriver
1. If you need long-lived access, consider implementing a system that uses refresh tokens to obtain new access tokens when needed, rather than setting tokens to never expire. This approach provides a balance between convenience and security. Unlike our SDKs there isnt a built in way to refresh M2M - https://docs.kinde.com/build/tokens/refresh-tokens/
2. You can read how we charge for M2M tokens here - https://docs.kinde.com/developer-tools/kinde-api/add-a-m2m-application-for-api-access/#how-m2m-tokens-are-calculated-in-kinde
Kinde docs
Add a machine to machine application
Our developer tools provide everything you need to get started with Kinde.
im unable to find where i can add the offline parameter in kinde
according to kindeai:
Answer You can set scopes for your API in several places depending on your use case. Here are the main options: Add scopes to an API 1. Go to Settings > APIs in Kinde. 2. Select View details on the API you want to add scopes for. 3. In the menu, select Scopes. 4. Select Add scope. 5. Enter a name and description for the scope. 6. Select Save. Apply API scopes via user role 1. Go to Settings > Roles in Kinde. 2. Add a new role or edit an existing one. 3. Switch on API scopes at the bottom of the window. 4. Save the role and assign it to users as needed. Apply additional API scopes for a user 1. Go to Settings > Users in Kinde. 2. Open the record for the user you want. 3. Select API scopes in the side menu. 4. In the Additional API scopes section, select Add scopes. 5. Switch on the desired scopes and save. Authorize and enable scopes for an application 1. Go to Settings > Applications and select View details on the relevant application. 2. Select APIs in the side menu. 3. Authorize the application if needed. 4. Select Manage scopes from the three dots menu. 5. Switch on or off the allowed scopes for the application. 6. Select Save. Remember to always use scopes appropriately to ensure proper security and access control for your API.
The option for
scopes do not exist where explainedYou will need to add it to your request in your code base https://docs.kinde.com/authenticate/manage-authentication/user-auth-applications/#offline-scopes-and-refresh-tokens
Let me know if this doesn't solve your use case.
Kinde docs
Authenticated sessions across multiple applications
Our developer tools provide everything you need to get started with Kinde.
scopes not valid, same goes for code implementation
Sorry about this Stian, let me check with the team on how to best solve this for you
thank you
is this related to the #announcements that was recently posted?
Hi @Stian - Fartskriver ,
The
offline scope and refresh tokens are not applicable to M2M tokens as this uses the client credentials flow which does not require a user interaction. Typically the access token would be cached and, rather than using a refresh token, the client credentials are used to obtain a new token when required.
Can you tell us a bit about your use case and the restrictions you're working with?I'm just trying to keep a persistent connection between the server and kinde so i can create users on demand.
I'm trying to retrieve the refresh token so that i can persist the connection.
You say
access token are you referring to the bearer token?
I could just retrieve a new token every time i need to use the API, but from my understanding: kinde uses a per-token cost calculation hence why i'm opting to use refresh tokensYes, the access token is often passed as the bearer token.
For other auth flows that use a refresh token, the refresh token is used to gain a new access token periodically, so new tokens are still issued.
You can use the same access token for multiple requests for a long as it is valid. Using the default expiry of one day should limit to needing a new token once per day if caching and reusing the token. The maximum expiry is 28 days, the consideration for longer expiry is mostly around risk - if a token is leaked, a potential malicious actor has potentially a longer time access window.
okay, then i'll just have to retrieve a new M2M token once its expired
thanks