The maximum lifespan of session tokens in Ory is configurable, but the knowledge sources do not specify a hard upper limit for session lifespan. For refresh tokens in OAuth2, the maximum age is 6 months (180 days), but this does not necessarily apply to Ory Identities (Kratos) session tokens, which are configured separately and can be set to values like 30 days (e.g.,

720h

) or more, as shown in the documentation examples. You can set the session lifespan using the Ory Console or by updating the configuration file and applying it to your project. The value is expressed in hours, minutes, and seconds (e.g.,

720h

,

30d

,

1h13m3s

) [Session lifespan](https://www.ory.sh/docs/kratos/session-management/session-lifespan). Regarding setting different session lifespans for browser and API login flows: The knowledge sources do not mention a way to configure separate session lifespans for browser-based and API-based login flows. The session lifespan appears to be a global setting that applies to all sessions, regardless of how the user authenticated (browser or API) [Session lifespan](https://www.ory.sh/docs/kratos/session-management/session-lifespan). Summary: - The maximum session lifespan is configurable, with no explicit hard limit documented for session tokens. - There is no documented way to set different session lifespans for browser and API login flows; the setting is global for all sessions.