How to Set Session Timeout for Token Based Authentication


Can anyone point me to how to set the timeout for token-based authentication on a mobile app built with react native? Users are able to authenticate successfully but we notice that their session is perpetually kept alive in spite of the parameters defined in the system settings which is not good for our use case.

Any help will be appreciated.


@flexy2ky those parameters are not about api expiry . I dont think they expire

Use Bearer Token instead. It expires in 1 hour and you need to refresh it when new one is needed.

@revant_one We indeed currently use bearer token but the user session persists even after one day. We pass session id with every request and the Session ID has a 3-day lifespan and I can’t figure out how to bring that to less than a day. Could the Session ID be the issue then?

We have a scheduled job running everyday to re-generate API Secret. That way, the token gets changed and users log out.

@rtdany10 If you don’t mind can you share the code? It would help me as a workaround.

user_details = frappe.get_doc("User", user)
api_secret = frappe.generate_hash(length=15)
user_details.api_secret = api_secret

Thanks for your help but this workaround doesn’t work for token-based authentication.

try deleting OAuth Bearer Token that were created 1 hr ago with a cron / scheduled task. Before you ask, I don’t have any sample code. Check frappe hooks for existing token delete code.

this will revoke the tokens making them invalid.
user will have to get fresh token, if the user is still in session in the mobile app, it’ll automatically create token. It won’t log out your user even if you delete all tokens. session is different, token is different.