Expiration times on access and refresh tokens can now be configured. | HTTP API

Expiration times on access and refresh tokens can now be configured.

17 February 2022

Composable Commerce

HTTP API

Enhancement

Security and privacyGraphQL

The expiration time for access and refresh tokens can now be configured per API Client by using the new accessTokenValiditySeconds and refreshTokenValiditySeconds fields. If specified, each access and refresh token created by the API Client will expire within the specified number of seconds. If not specified, the tokens will expire as per the default configuration.

Changes:

[API] Added accessTokenValiditySeconds field to API Client and APIClientDraft.
[API] Added refreshTokenValiditySeconds field to API Client and APIClientDraft.
[GraphQL API] Changed the APIClientWithoutSecret type:
- Added the refreshTokenValiditySeconds field to the APIClientWithoutSecret type.
- Added the accessTokenValiditySeconds field to the APIClientWithoutSecret type.
[GraphQL API] Changed the APIClientWithSecret type:
- Added the accessTokenValiditySeconds field to the APIClientWithSecret type.
- Added the refreshTokenValiditySeconds field to the APIClientWithSecret type.
[GraphQL API] Changed the CreateApiClient type:
- Input field refreshTokenValiditySeconds was added to CreateApiClient type
- Input field accessTokenValiditySeconds was added to CreateApiClient type

The following changes were introduced in terms of GraphQL SDL:

extend type APIClientWithoutSecret {
  accessTokenValiditySeconds: Int
  refreshTokenValiditySeconds: Int
}

extend type APIClientWithSecret {
  accessTokenValiditySeconds: Int
  refreshTokenValiditySeconds: Int
}

extend input CreateApiClient {
  accessTokenValiditySeconds: Int
  refreshTokenValiditySeconds: Int
}