Handle directline Tokens and their "expires_in"

Question

With Postman I send a POST to https://directline.botframework.com/v3/directline/tokens/generate with the Header Authorization: Bearer MySecret

The response is

{
  "conversationId": "MyConversationID",
  "token": "MyToken",
  "expires_in": 3600
}

Now I can go to this URL with the token

https://directline.botframework.com/embed/MyName?t=MyToken

and I have a chat opened. After (I assume) 3600 seconds I cannot reach the URL anymore as it is expired.

I can "refresh" my token by sending a POST via Postman to https://directline.botframework.com/v3/directline/tokens/refresh with this Header Authorization: Bearer MyToken and it gives me this response

{
  "conversationId": "MyConversationID",
  "token": "MySecondToken",
  "expires_in": 3600
}

I assume that https://directline.botframework.com/embed/MyName?t=MyToken will still run out after 3600 seconds but I can then continue the chat with https://directline.botframework.com/embed/MyName?t=MySecondToken as they have the same conversationId. Yet it also will expire after 3600 seconds.

Is it possible to set my own expires_in value?

Is it possible to remove expires_in so the token is permanent?

Answer 1

No, it is not possible to change the expires_in value. It is also not possible to remove it, either. Doing so would defeat the purpose behind issuing and using tokens which is to provide a level of security and obfuscation. By using tokens coupled with the conversationId, you are making it harder for unsavory individuals to gain access to your application and data.

It is not absolutely necessary or required to use a token (it depends on your application needs). You can always use your secret, just do so carefully. You can read more about the use of tokens and secrets in the BotFramework docs here.

If you plan on using tokens, then automate the call to refresh the token before it expires. Then swap the token out for the new.

Hope of help!