Yes, you can use Ory to generate tokens for API access. However, it's important to note that Ory's OAuth2 tokens are not designed to be non-expiring. By default, access tokens in Ory last for one hour, and refresh tokens last for 30 days. The maximum age of refresh tokens is 6 months, meaning that refresh tokens must be rotated at least every 6 months. However, Ory does provide the ability to adjust the lifespan of these tokens. You can modify the access, ID, and refresh token lifespan for each grant type individually per client using the SDK. You can also configure the token's expiration time globally using the Ory CLI. Here is an example of how to configure the lifespan for specific clients using the SDK:

javascript import { Configuration, OAuth2Api } from "@ory/client"      const ory = new OAuth2Api(     new Configuration({       basePath: `https://${process.env.ORY_PROJECT_SLUG}.<http://projects.oryapis.com|projects.oryapis.com>`,       accessToken: process.env.ORY_API_KEY,     }),   )      export async function setClientLifespans(clientId: string) {     await ory.setOAuth2ClientLifespans({       id: clientId,       oAuth2ClientTokenLifespans: {         authorization_code_grant_access_token_lifespan: "1h",         authorization_code_grant_id_token_lifespan: "12h",         authorization_code_grant_refresh_token_lifespan: "24h",         client_credentials_grant_access_token_lifespan: "1h",         implicit_grant_access_token_lifespan: "1h",         implicit_grant_id_token_lifespan: "12h",         jwt_bearer_grant_access_token_lifespan: "1h",         refresh_token_grant_access_token_lifespan: "1h",         refresh_token_grant_id_token_lifespan: "12h",         refresh_token_grant_refresh_token_lifespan: "24h",       },     })   }

You can also use the Ory CLI to configure the access token's lifespan. The following command sets the access token's lifespan to two hours globally:

bash ory patch oauth2-config --project <project-id> --workspace <workspace-id> \     --replace "/ttl/access_token=\"2h\"" \     --format yaml

However, it's important to note that using access and refresh tokens for session management is not recommended. Instead, Ory suggests using Ory Session Tokens if you want to interface your API with native apps and clients which do not have a browser. For more information, you can refer to the following documentation: - [Configure token expiration time](https://www.ory.sh/docs/hydra/guides/client-token-expiration) - [OAuth2 refresh token grant](https://www.ory.sh/docs/oauth2-oidc/refresh-token-grant#change-refresh-token-lifespan) - [What about access tokens / refresh tokens?](https://www.ory.sh/docs/security-model#what-about-access-tokens--refresh-tokens) - [Configure Ory OAuth2 and OpenID](https://www.ory.sh/docs/guides/cli/oauth2-cli#adjust-specific-keys) - [Why you probably do not need OAuth2 / OpenID Connect](https://www.ory.sh/oauth2-openid-connect-do-you-need-use-cases-examples/#convince-your-peers)