Change session timeout

important

By default, the session timeout is for 100 days.

This means that a user will get logged out only after 100 days of inactivity. To put this another way, if a user is active even once in a 100 days (after the access token expires), their session's lifetime is extended by another 100 days.

This value can be changed by:

Changing the refresh_token_validity value (time in mins): Determines the overall session timeout.
- The default is 100 days.
Changing the access_token_validity value (time in seconds): Does not affect the overall session timeout, but affects how often session refreshing occurs.
- The default is 1 hour.
- This time does not determine the user experience, but only the security of the overall session system.

With Docker
Without Docker
With SaaS

 docker run \
    -p 3567:3567 \
    -e REFRESH_TOKEN_VALIDITY=<Default: 144000> \
    -e ACCESS_TOKEN_VALIDITY=<Default: 3600> \
    -d registry.supertokens.io/supertokens/supertokens-<db name>

# You need to add the following to the config.yaml file.
# The file path can be found by running the "supertokens --help" command

refresh_token_validity: # Default 144000

access_token_validity: # Default 3600

Navigate to your SuperTokens managed service dashboard, and click on the Edit Configuration button.
In there, change the values of the following fields, and click on save.

refresh_token_validity: # Default 144000

access_token_validity: # Default 3600

security

We recommend keeping the access_token_validity as small as possible because:

If they are stolen, then token theft detection can only occur after the access token expires.
If the session is revoked, and the user somehow still has their access token, they will be able to query the APIs until it expires (unless you switch on access token blacklisting).