Kaspersky Security Center

Lifetime of tokens and authorization timeout for Identity and Access Manager

14 April 2024

ID 221068

When configuring Identity and Access Manager (also referred to as IAM), you must specify the settings for the token lifetime and authorization timeout. The default settings are designed to reflect both the security standards and the server load. However, you can change these settings according to your organization's policies.

IAM automatically re-issues a token when it is about to expire.

The table below lists the default token lifetime settings.

Token lifetime settings


Default lifetime (in seconds)


Identity token (id_token)


Identity token used by the OAuth 2.0 client (that is, either Kaspersky Security Center Web Console or Kaspersky Industrial CyberSecurity Console). IAM sends the ID token containing information about the user (that is, the user profile) to the client.

Access token (access_token)


Access token used by the OAuth 2.0 client to access to the resource server on behalf of the resource owner identified by IAM.

Refresh token (refresh_token)


The OAuth 2.0 client uses this token for re-issuing the Identity token and the Access token.

The table below lists the timeouts for auth_code and login_consent_request.

Authorization timeout settings


Default timeout (in seconds)


Authorization code (auth_code)


Timeout for exchanging code for the token. The OAuth 2.0 client sends this code to the resource server and gets the access token in exchange.

Login consent request timeout (login_consent_request)


Timeout for delegating user rights to the OAuth 2.0 client.

For more information about tokens, see the OAuth website.

See also:

Enabling Identity and Access Manager: scenario

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.