Fixed-length Bearer tokens being replaced with variable-length JWT tokens
In early Apr 2021 we updated our Bearer tokens from a fixed-length to a variable-length JWT for newly created apps. Any apps that were created after that date were issued the JWT access tokens and will see no change going forward.
Apps that were created before that date will continue to receive a fixed-length access token until May 1st, 2023 when we will be dropping support for the fixed-length access tokens and instead only the variable-length JWT access tokens will be issued.
More about authentication here and on our start page.
Details
Who is affected?
Any apps that were created before Apr 2021.
What is changing?
We have updated our Bearer tokens from a fixed-length to a variable-length JWT.
Notes:
- If you are storing access tokens in a database we recommend using a “TEXT” type column (hold up to 64KB or 65,535 characters) to handle the variable-length access token now, and ideally you are storing them encrypted.
- The change currently only affects the access token, and not the refresh token. Refresh tokens remain unchanged, however they could change in the future and any assumptions you’ve made about the length of these should be re-evaluated.
- To check to see if you are being issued JWT access tokens currently, you can inspect your issued access tokens and if they look something like xxx.yyyyyy.zzzz, or they aren’t a fixed length of 64(?) characters then you already have JWT access tokens enabled.