Skip to content

Tokens & sessions

These settings control how long credentials and sessions stay valid — the trade-off between convenience and the window a stolen token or session is usable.

How long an issued access token is accepted.

  • Recommended: short — 300 seconds (5 min), the default. Use refresh tokens for longevity.
  • Ask the assistant: “Set the access-token lifespan to 5 minutes for acme-prod.”
  • Keycloak: Realm settings → Tokens → Access Token Lifespan.
  • Idle timeout — session ends after this much inactivity. Recommended: 30 min (default).
  • Max lifespan — hard cap regardless of activity. Recommended: 10 hours or less.
  • Ask the assistant: “Set the SSO idle timeout to 30 minutes for acme-prod.”
  • Keycloak: Realm settings → Sessions.

Keep idle timeouts short for pools accessed on shared or unattended devices.

Whether a refresh token is invalidated when it’s used (rotation).

  • Recommended: on — enable Revoke refresh token with a small max-reuse. A leaked refresh token is then invalidated the next time the legitimate client rotates it.
  • Ask the assistant: “Turn on refresh-token rotation for acme-prod.”
  • Keycloak: Realm settings → Tokens → Revoke Refresh Token.