Skip to main content


JWT Expiration

The length of time before JWTs expire. Generally you should keep this short (< 30 minutes) and use the refreshToken mutation to get a new JWT.

Possible values are:

  • 15 minutes
  • 30 minutes
  • 1 hour
  • 1 day
  • 1 week

Refresh Token Expiration

The length of time before refresh tokens expire.

Possible values are:

  • 1 week
  • 1 month
  • 3 months
  • 6 months
  • 1 year

JWT Secret Key

The key that is used to sign the JWT at generation and validation time. This defaults to a randomly-generated string using Craft::$app->getSecurity()->generateRandomString(32), but you're free to use anything you like here!

The SameSite cookie policy to use for the HttpOnly refresh token cookie that is automatically sent with the authentication mutations.

Possible values are:

  • Strict
  • Lax
  • None

If you're authenticating from a domain separate to your Craft admin, Safari and Firefox may deem this as a 'cross-site tracking cookie' and block it.