Rob Allen

Pragmatism in today's world

Changing Apigility's auth token expiry

By default, the OAuth 2 token that is generated in an Apigility app expires in 1 hour. Upon expiry, the client is expected to use the refresh token to get a new access token.

You can see this when you authenticate via a POST to /oauth as you get this response back:

{
    "access_token": "3812aaea7640a2567c66e21e2587450821103552",
    "expires_in": 3600,
    "token_type": "Bearer",
    "scope": null,
    "refresh_token": "72d5df08c971526a4ba7c83ec2a7b92d82d9715b"
}

If you need longer than 1 hour, then simply add this top level configuration setting:

    'zf-oauth2' => [
        'access_lifetime' => 7200,
    ],

The access_lifetime key controls the expiry time and is in seconds, so in this case I’ve set it to 2 hours.

This article was posted on in Apigility

4 thoughts on “Changing Apigility's auth token expiry

  1. We have needed to make this change ourselves this very week. I have written a CLI php script to generate a client to be used in server to server comms and the client_credentials grant type. I wanted the token to 'never expire' so decided to set the expiration date well in the future. Is there a better way of doing this do you think?

    1. Let's write that more verbose, because it's not obvious from my previous comment:

      'zf-oauth2' => [
    'access_lifetime' => 1200,
    'options' => [
        'refresh_token_lifetime' => 3600,
    ]
],

Comments are closed.

Search


I'm Rob Allen, a software consultant and engineering leader, concentrating on HTTP APIs. A proponent of Open Source, I maintain rst2pdf and Slim Framework, and contribute to Apache OpenWhisk amongst other OSS projects.

I live in the UK, run 19FT and publish Daily Jotter for Mac. I am a public speaker and wrote Zend Framework in Action.

Follow

Nineteen Feet Limited logo

Books I've written

Zend Framework in Action book cover
C++Builder 5 Developer's Guide book cover