JWT Expiration

Configure per-tenant JWT authentication token expiry and domain audience.

You can choose how long a user stays signed in before they need to sign in again. This is controlled by the JWT expiration setting for your app (tenant).

Who is this for?

Anyone managing a BetterForms app who wants to balance convenience and security. Shorter times are more secure; longer times mean fewer logins for your users.

Availability

Requires basecode version v3.2.6+.

How to change it (2 steps)

Open your app’s settings

App Settings → Authentication → Token Expiry

Enter how long tokens should last

Examples you can paste:
- 1h (1 hour)
- 8h (workday)
- 7d (one week)
- Or a number of seconds like 604800 (7 days)

Tip: Leave it blank to use the default of 24 hours.

What happens behind the scenes

Your choice is saved with your app and used to issue new sign‑in tokens.
Changes taken place on next user login.

Domain safety (why a token from one site won’t work on another)

Tokens are locked to your site’s domain (called the “audience”). Using the same token on a different domain or tenant will be rejected automatically.

Notes for teams using a proxy or CDN

Nginx: proxy_set_header Host $host;
AWS ALB: turn on “preserve host header”
Cloudflare: set “Origin host header” to On

If you see JWT errors

It usually means the server didn’t receive the original site domain. Check:

Your proxy/load balancer forwards the original Host header
Your domain actually matches the site that issued the token
Your platform version is v3.2.6 or newer

PreviousOAuth NextSecurity Best Practices

Last updated 5 months ago

Was this helpful?

hashtagWho is this for?

hashtagAvailability

hashtagHow to change it (2 steps)

hashtagWhat happens behind the scenes

hashtagDomain safety (why a token from one site won’t work on another)

hashtagNotes for teams using a proxy or CDN

hashtagIf you see JWT errors