REST – How to Decide Token Expiry Time in REST Web Service

restweb services

I am working on creating a REST ws exposing few API's. A token is required for each API call. I am confused about the expiry time to be set for the token.

Security+Performance wise what is the ideal expiry time for token (if there is one)?

Best Answer

Generally speaking I'd say it depends on what the API is for.

  • If your users are just going to make the occasional call, then a short expiry will be fine - a few minutes, perhaps; just long enough to cover a second call if there's an error with the first one.
  • If they'll be using it in longer sessions, then a longer time will be needed; about twice the length of the average session seems sensible, so if the average user uses the software in a way that generates API calls for about twenty minutes, then a thirty- or forty-minute expiry time should do.
  • If the API is used more continuously, perhaps by a mobile app that's updating regularly all day, then it's a judgement call.
    • If the calls are far enough apart, then a short token is fine, as in the first example; they'll have to auth every time, but not on re-submissions if there's an error.
    • If the calls are more frequent, then it's just a matter of how long you think is "secure"; I'd say definitely not more than a day. If you have the facility to do so, try timing some calls, with no token, a valid token and an expired token. Then, look at your average usage and see how often it generates API calls. I'd say to set your expiry time such that the average time for all calls is not more than 1.5 times the average call with a valid token (ie. the process of getting a new token is not adding more than 50% to the total time). If that feels slow in testing, reduce the fraction to 1.45, 1.4, 1.35 etc until it feels ok.
Related Topic