Authorization duration | ID.me Developer

Authorization duration defines how long a user’s access or permissions remain valid before requiring reauthentication or reauthorization. This duration applies to temporary credentials like authorization codes and grants, and it plays an important role in balancing security with user experience.

Durations may vary depending on your application’s security requirements and can range from a few minutes to several hours. Shorter durations enhance security, while longer durations may improve user flow.

Authorization code duration

After successful user verification, ID.me issues an authorization code and redirects the user back to your application. The redirect URI includes:

The authorization code
The original state value (if one was provided)

Authorization codes are short-lived and expire shortly after being issued. While OAuth 2.0 specification recommends a maximum of ten minutes, ID.me typically uses a shorter window for enhanced security.

Authorization grant duration

By default, authorization grants issued by ID.me expire 5 minutes after they are created. This duration can be adjusted, either shortened or extended, by working with your dedicated Solution Consultant. If you are unsure who that is, email partnersupport@id.me for assistance.

Important

Authorization grants can only be used once. If a client attempts to reuse a grant, the request will be rejected and any tokens issued from that grant will be revoked.

For a detailed explanation of how authorization codes are used within the OAuth 2.0 flow, please see our OAuth 2.0 guide