Expiration Period of the Access Token

An access token has the expiration period, but the default expiration period is set to 2147483647 seconds (68 years). If you are using the default expiration period, therefore, you will not have to worry about the token expiration and re-login.

You can change this value to set the explicit expiration period on the access token so as to strengthen the security (i.e. reducing the risk of the access token leakage).

If you set the expiration period, the token will be invalidated after this period is passed; accessing Kii Cloud with the invalidated access token will return an error. You can auto-update the expired access token with a new one with the refresh token feature available in the Kii Cloud SDKs for Android and iOS and the REST API.

Please note that the expiration period will be counted from the initial login by the user; it does not mean the idling time after the last login.

You can expire tokens explicitly by using the application admin feature. If disabled, the token will be invalidated regardless of its expiration date. The token will be invalidated also when the user changes their password.

Setting the expiration period with API

You can use the Kii.setAccessTokenExpiration(long) method to expire the token after a certain period. Once you set the token expiration period, this will be applied to all tokens received from that point forward.

When you are setting the expiration period, you can specify this period when you execute the KiiUser.loginWithToken(string, long) method. This will allow you to maintain the expiration period with the KiiUser.getAccessTokenBundle.

  • // Get an access token and its lifetime from the storage with your own function.
    String token = getStoredToken();
    long expiresAt = getStoredTokenExpiresAt();
    
    try {
      // Authenticate a user with the access token.
      KiiUser.loginWithToken(token, expiresAt);
    } catch (IOException e) {
      // Handle the error.
    } catch (AppException e) {
      // Handle the error.
    }
  • // Get an access token and its lifetime from the storage with your own function.
    String token = getStoredToken();
    long expiresAt = getStoredTokenExpiresAt();
    
    // Authenticate a user with the access token.
    KiiUser.loginWithToken(new LoginCallBack() {
      @Override
      public void onLoginCompleted(KiiUser kiiUser, Exception exception) {
        if (exception != null) {
          // Handle the error.
          return;
        }
      }
    }, token, expiresAt);

Setting the access token policy on the developer portal

On the developer portal, you can set the access token policy by setting the default/maximum expiration period and by toggling refresh token on/off.

See Configuring Access Token Policy for the details on how to set the policy.

See Refreshing the Access Token for the overview of how the refresh token works. When you are using the refresh token, make sure to set the expiration period of the access token appropriately. Setting the expiration period too long will increase the risk of the access token being leaked and being misused. Setting it too short will increase the frequency of the refresh token being sent to the server, making the risk of the refresh token being leaked and being misused high.

Target APIs

When you set the expiration period on the access token, the setting will be applied to the following actions:

  • Logging in with a password.

  • Creating a new user.

  • Logging in with the external service account (with the native application authentication).

The following actions will not be affected:

  • Logging in with a saved access token (the expiration period applied to the existing token will be applied).

  • Logging in with information saved by the Kii Cloud SDK (the expiration period applied to the existing token will be applied).

  • Logging in as a pseudo user (the default value will always be applied so that the token never expires).