Expiration Period of the Access Token

An access token has the expiration period, but the default expiration period is set to 2147483647 seconds (68 years). If you are using the default expiration period, therefore, you will not have to worry about the token expiration and re-login.

You can change this value to set the explicit expiration period on the access token so as to strengthen the security (i.e. reducing the risk of the access token leakage).

If you set the expiration period, the token will be invalidated after this period is passed; accessing Kii Cloud with the invalidated access token will return an error. You can auto-update the expired access token with a new one with the refresh token feature available in the Kii Cloud SDKs for Android and iOS and the REST API.

Please note that the expiration period will be counted from the initial login by the user; it does not mean the idling time after the last login.

You can expire tokens explicitly by using the application admin feature. If disabled, the token will be invalidated regardless of its expiration date. The token will be invalidated also when the user changes their password.

Setting the expiration period with API

you can use the [Kii setAccessTokenExpiration:] method to expire the token after a certain period. Once you set the token expiration period, this will be applied to all tokens received from that point forward.

If you are setting the expiration period, using the authenticateWithToken:andExpiresAt:andBlock method with the period would be useful to let the accessTokenDictionary manages the period.

Swift 3:

  • // Get an access token and its lifetime from the storage with your own function.
    let token = getStoredToken()
    let expiresAt = getStoredTokenExpiresAt()
    
    do{
      // Authenticate a user with the access token.
      try KiiUser.authenticate(withTokenSynchronous: token, andExpiresAt: expiresAt)
    }catch let error as NSError {
      // Handle the error.
      return
    }
  • // Get an access token and its lifetime from the storage with your own function.
    let token = getStoredToken()
    let expiresAt = getStoredTokenExpiresAt()
    
    // Authenticate a user with the access token.
    KiiUser.authenticate(withToken: token, andExpiresAt: expiresAt, andBlock: {(usr , error )->Void in
      if (error != nil) {
        // Handle the error.
        return
      }
    })

Objective-C:

  • // Get an access token and its lifetime from the storage with your own function.
    NSString *token = [self getStoredToken];
    NSDate *expiresAt = [self getStoredTokenExpiresAt];
    
    NSError *error;
    
    // Authenticate a user with the access token.
    [KiiUser authenticateWithTokenSynchronous:token
                                 andExpiresAt:expiresAt
                                     andError:&error];
    if (error != nil) {
      // Handle the error.
      return;
    }
  • // Get an access token and its lifetime from the storage with your own function.
    NSString *token = [self getStoredToken];
    NSDate *expiresAt = [self getStoredTokenExpiresAt];
    
    // Authenticate a user with the access token.
    [KiiUser authenticateWithToken:token
                      andExpiresAt:expiresAt
                          andBlock:^(KiiUser *user, NSError *error) {
      if (error != nil) {
        // Handle the error.
        return;
      }
    }];

Setting the access token policy on the developer portal

On the developer portal, you can set the access token policy by setting the default/maximum expiration period and by toggling refresh token on/off.

See Configuring Access Token Policy for the details on how to set the policy.

See Refreshing the Access Token for the overview of how the refresh token works. When you are using the refresh token, make sure to set the expiration period of the access token appropriately. Setting the expiration period too long will increase the risk of the access token being leaked and being misused. Setting it too short will increase the frequency of the refresh token being sent to the server, making the risk of the refresh token being leaked and being misused high.

Target APIs

When you set the expiration period on the access token, the setting will be applied to the following actions:

  • Logging in with a password.

  • Creating a new user.

  • Logging in with the external service account (with the native application authentication).

The following actions will not be affected:

  • Logging in with a saved access token (the expiration period applied to the existing token will be applied).

  • Logging in with information saved by the Kii Cloud SDK (the expiration period applied to the existing token will be applied).

  • Logging in as a pseudo user (the default value will always be applied so that the token never expires).