Tokens
#
JWT ExpirationThe length of time before JWTs expire. Generally you should keep this short (< 30 minutes) and use the refreshToken
mutation to get a new JWT.
Possible values are:
- 15 minutes
- 30 minutes
- 1 hour
- 1 day
- 1 week
#
Refresh Token ExpirationThe length of time before refresh tokens expire.
Possible values are:
- 1 week
- 1 month
- 3 months
- 6 months
- 1 year
#
JWT Secret KeyThe key that is used to sign the JWT at generation and validation time. This defaults to a randomly-generated string using Craft::$app->getSecurity()->generateRandomString(32)
, but you're free to use anything you like here!
#
SameSite Cookie PolicyThe SameSite
cookie policy to use for the HttpOnly
refresh token cookie that is automatically sent with the authentication mutations.
Possible values are:
- Strict
- Lax
- None
tip
If you're authenticating from a domain separate to your Craft admin, Safari and Firefox may deem this as a 'cross-site tracking cookie' and block it.