The expiration of a refresh token in Ory is managed through the Ory CLI or the SDK. By default, the refresh token in Ory lasts for 30 days, and the maximum age of refresh tokens is 6 months. This means that refresh tokens must be rotated at least every 6 months. You can configure the refresh token's expiration time globally using the Ory CLI with the following command:

bash ory patch oauth2-config --project <project-id> --workspace <workspace-id> \   --replace "/ttl/refresh_token=\"24h\"" \   --format yaml

In this command, replace

<project-id>

and

<workspace-id>

with your project and workspace IDs, and

"24h"

with the desired lifespan for the refresh token. You can also modify the refresh token lifespan for each grant type individually per client using the SDK:

javascript import { Configuration, OAuth2Api } from "@ory/client"      const ory = new OAuth2Api(     new Configuration({       basePath: `https://${process.env.ORY_PROJECT_SLUG}.<http://projects.oryapis.com|projects.oryapis.com>`,       accessToken: process.env.ORY_API_KEY,     }),   )      export async function setClientLifespans(clientId: string) {     await ory.setOAuth2ClientLifespans({       id: clientId,       oAuth2ClientTokenLifespans: {         refresh_token_grant_refresh_token_lifespan: "24h",       },     })   }

In this code, replace

"24h"

with the desired lifespan for the refresh token. Sources: - [Configure token expiration time](https://www.ory.sh/docs/hydra/guides/client-token-expiration) - [Change refresh token lifespan](https://www.ory.sh/docs/oauth2-oidc/refresh-token-grant#change-refresh-token-lifespan) - [Lifespan configuration for specific clients](https://www.ory.sh/docs/hydra/guides/client-token-expiration#lifespan-configuration-for-specific-clients)