When integrating applications with authentik, you may occasionally need to adjust how long access tokens, refresh tokens, or ID tokens remain valid. This is especially useful when balancing security requirements with user convenience.
This guide walks through exactly where to change token expiry settings for a specific provider in authentik.
Why Adjust Token Expiry?
You might want to change token expiry if:
- Users are being logged out too frequently
- Your application requires longer-lived tokens (e.g. background services, APIs)
- You want tighter security by reducing token lifetime
- You’re troubleshooting authentication or refresh issues
Rather than changing global defaults, authentik allows you to configure token lifetimes per provider, which is the recommended approach.
Where Token Expiry Is Configured
Token expiry settings are not found in flows or applications. They live directly inside the provider configuration.
The exact path is:
Providers → Your Provider → Edit → Advanced protocol settings
This applies to OAuth2 / OpenID Connect providers.
Step-by-Step: Change Token Expiry in authentik
1. Open the Admin Interface
Log into the authentik admin UI using an account with administrative privileges.
2. Navigate to Providers
From the left-hand menu:
- Click Providers
- Select the provider you want to modify (for example, an OAuth2 or OIDC provider used by an app)
3. Edit the Provider
- Click Edit on the selected provider
4. Open Advanced Protocol Settings
Scroll down and expand Advanced protocol settings.
This section contains all token lifetime and protocol-specific options.
5. Adjust Token Expiry Values
Depending on the provider type and authentik version, you may see options such as:
- Access token validity
- Refresh token validity
- ID token validity
These values are typically defined in seconds.
Example values:
- Access token:
900(15 minutes) - Refresh token:
2592000(30 days) - ID token:
300(5 minutes)
Adjust these to suit your security and usability requirements.
6. Save the Provider
Once updated:
- Click Save
The new token expiry settings take effect immediately for newly issued tokens.
⚠️ Existing tokens will not be retroactively updated. Users may need to re-authenticate for the changes to apply.
Important Notes & Best Practices
Token Expiry Is Per Provider
Each provider has its own token lifetime settings. If you use multiple providers (e.g. one per app), you must configure each individually.
Shorter Is Safer
- Keep access tokens short-lived
- Rely on refresh tokens for long sessions
- Avoid very long access token expiry unless absolutely necessary
Application Compatibility
Ensure your application:
- Supports token refresh
- Handles token expiry gracefully
- Does not cache tokens longer than their validity
Common Troubleshooting Tips
- Users still getting logged out?
- Verify refresh token expiry, not just access token expiry
- Changes not applying?
- Existing sessions may still be using old tokens
- App ignoring expiry?
- Check app-side token handling and refresh logic
Summary
To change token expiry in authentik for a specific provider:
- Go to Providers
- Select your provider
- Click Edit
- Open Advanced protocol settings
- Adjust token validity values
- Save the provider
This per-provider approach gives you fine-grained control over authentication behaviour while keeping your system secure.
If you’re running authentik behind reverse proxies, using multiple OAuth clients, or integrating with self-hosted services, tuning token expiry per provider is a powerful and often overlooked feature.
Leave a Reply