long-lived token

[sofiadipace]

Hi there! 😊

I have a quick question regarding the tokens generated using the coral-cli (Doku)

Our team generated some tokens internally, and we assumed they were long-lived since they didn’t include an exp claim.
When decoding the token, we see the following claims:

{
  "pat": true,
  "iat": xxxxx,
  "nbf": xxxxxxx,
  "iss": "xxx",
  "sub": "xxxx",
  "jti": "xxxx"
}

They have been valid for a very long time. In the coral docu it stands, that they currently don't expire. However, today we encountered the following error when trying to execute a mutation against Coral:

code: "TOKEN_INVALID"
type: "INVALID_REQUEST_ERROR"

So our question is: are these tokens truly long-lived, or is there an internal expiration mechanism even without an exp claim?

Thanks in advance for your help!

[Scott-Fischer]

One thing to keep an eye on is the SIGNING_SECRET env variable that gets passed to the app. Because that's used to both generate and validate the tokens. So if you roll the secret, you'll need to generate new tokens to prevent a mismatch during validation.