I have a question regarding the janitor. Especially regarding the

--access-lifespan

(and friends) parameters. Does this mean, that it cannot decide from the database alone, whether a token is expired? And since the parameters are optional, what values are used if unspecified ? Would it be safer to point to the hydra config file, and would it use the lifespan values from there? I dont want to delete active access tokens from our users.

Hi @boundless-state-65031 Janitor was created to only delete data that have no more use (an expired token or request) and does not touch any data that is currently active. Regarding

--access-lifespan

et al. these are all read from the configuration file or from a default (if no value is specified), which means it doesn't solely decide based on the database if the token is active or not. I took a look at the code as well to confirm the database query deleting the data and it essentially uses the configuration value as shown here https://github.com/ory/hydra/blob/master/persistence/sql/persister_oauth2.go#L455-L461 Also take a look at this discussion. https://github.com/ory/hydra/discussions/3107 That is why it is recommended to keep a snapshot of your database before running Janitor - since it is a destructive command. I would also recommend running Janitor when the load is low since it can take a while to delete if you specify a large batch size and you have millions of records.

Yes, i already found and read those sources/discussions. I just wanted to confirm that, if we dont use the exact same values as hydra itself, we might get unexpected results. I expect that the safe bet, is to point it to hydra’s own configuration file, then.