Zero Trust · January 2025
JWT expiration strategy for SaaS platforms
Your JWT lifetime policy influences breach impact, refresh architecture, and compliance posture. Here is how leading SaaS platforms set expirations.
Recommended lifetimes
| Token type | Suggested exp | Notes |
|---|---|---|
| Interactive access tokens | 5–15 minutes | Combine with silent refresh or short session cookies. |
| API tokens | 1–5 minutes | Use client credentials to obtain new tokens. |
| Refresh tokens | 7–30 days | Rotate on every use; revoke on anomaly detection. |
Rotation patterns
Implement refresh token rotation so stolen tokens become useless. Track `jti` values and bind refresh tokens to device identifiers.
Incident response
- Maintain playbooks that revoke affected client IDs and notify customers.
- Temporarily shorten expirations during active incidents.
- Log token decisions to correlate suspicious access.
Automation tip
JWTSecrets Enterprise enforces maximum exp per application and rejects tokens that exceed policy. It also emits structured events for your SIEM.