Sanctum issued token

Hello there! I don't understand how sanctum uses the token expiration parameter. It seems to never consider it. I mean, if I change the expiration value In the config/sanctum.php file, Sanctum doesn't set automatically the expires_at date when it saves token in database:

   /*
    |--------------------------------------------------------------------------
    | Expiration Minutes
    |--------------------------------------------------------------------------
    |
    | This value controls the number of minutes until an issued token will be
    | considered expired. If this value is null, personal access tokens do
    | not expire. This won't tweak the lifetime of first-party sessions.
    |
    */
    'expiration' => 120,

The only way I found to set an expiration is to force it by myself when I issue tokens like that:

$token = $user->createToken('my-token', '*', now()->addMinutes(config('sanctum.expiration')));

Can you guys tell me what's the purpose of that expiration setting? many thanks.

tisuchi

2 years ago

Level 70

@xor677 This is how sanctum expiration works.

By default, Sanctum tokens never expire and may only be invalidated by revoking the token. However, if you would like to configure an expiration time for your application's API tokens, you may do so via the expiration configuration option defined in your application's sanctum configuration file. This configuration option defines the number of minutes until an issued token will be considered expired:

Check here: https://laravel.com/docs/10.x/sanctum#token-expiration

Xor677

2 years ago

Level 1

@tisuchi Thanks for your quick reply, but, that's exactly what I'm trying to explain: this expiration setting (described in the documentation) is pointless, because it is never read/used by sanctum.

1 like

Please or to participate in this conversation.