The difference between

jwt_bearer_grant_access_token_lifespan

and

client_credentials_grant_access_token_lifespan

for an OAuth client in Ory is the grant type for which each lifespan applies: - client_credentials_grant_access_token_lifespan: This setting controls the lifespan (expiration time) of access tokens issued when the client uses the Client Credentials Grant. In this flow, the client authenticates directly with the authorization server (no user involved) to obtain an access token. - jwt_bearer_grant_access_token_lifespan: This setting controls the lifespan of access tokens issued when the client uses the JWT Bearer Grant (urnietfparamsoauthgrant-type:jwt-bearer). In this flow, the client presents a signed JWT as an assertion to authenticate and obtain an access token, often used for server-to-server or delegated access scenarios. Both settings allow you to configure how long the access token is valid for their respective grant types, and they are independent of each other. You can set them per client using the Ory API or SDK, for example:

js await ory.setOAuth2ClientLifespans({   id: clientId,   oAuth2ClientTokenLifespans: {     client_credentials_grant_access_token_lifespan: "1h",     jwt_bearer_grant_access_token_lifespan: "1h",     // ... other lifespans   }, })

[Configure token expiration time](https://www.ory.sh/docs/hydra/guides/client-token-expiration) In summary: - Use

client_credentials_grant_access_token_lifespan

for tokens issued via the client credentials grant. - Use

jwt_bearer_grant_access_token_lifespan

for tokens issued via the JWT bearer grant. They serve different OAuth2 grant types and can be configured separately per client.