Auth0 Token

Bridgecrew Policy ID: BC_GIT_26
Checkov Check ID: CKV_SECRET_26
Severity: LOW

Auth0 Keys


All Auth0-issued JWTs have JSON Web Signatures (JWSs), meaning they are signed rather than encrypted. A JWS represents content secured with digital signatures or Message Authentication Codes (MACs) using JSON-based data structures.

Fix - Buildtime


Once issued, access tokens and ID tokens cannot be revoked in the same way as cookies with session IDs for server-side sessions.

As a result, tokens should be issued for relatively short periods, and then refreshed periodically if the user remains active.