MaxAge of jwt and session

[AnnaYeung9797]

According to the document (https://next-auth.js.org/configuration/options#jwt), we can set MaxAge of jwt then use getToken() to check the token. However when I tried
const options: NextAuthOptions = { jwt: {maxAge: 10} }
the result of getToken() shows the token expire after 30 days (default value)

While if I tried
const options: NextAuthOptions = { session: {maxAge: 10} }
the result of getToken() shows that the token expire after 10 sec

JSON Web Token {
"name": "myname",
"email": "email@gmail.com",
"picture": "myavator",
"sub": "18512368",
"accessToken": "f4aaa532b65a5fd06e652e6a68718571273a476fc9f9079345f8e0a1f79f1742f",
"iat": 1703583801,
"exp": 1703583811,
"jti": "81sdf5d-fddf-44d3-b963-34a1a0f14fdf"
}

it seems that the getToken() method get the session MaxAge instead of the jwt MaxAge, is that a normal behaviour?
Many thanks in advance!

[Byron0000]

Were you able to solve this issue?

[broy94]

I'm facing almost the same issue, except that for me the expiration is set to 30 days in both cases - either I set the session maxAge or the jwt maxAge property, it doesn't matter.

[AnnaYeung9797]

Hi, I didn’t figure out how jwt maxAge works, so I just keep it as 1 but it doesn’t really affect anything….

…

Byron0000 ***@***.***>於2024年1月30日 下午11:05寫道： Were you able to solve this issue? — Reply to this email directly, view it on GitHub <#9476 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AVSBUENZ5IH2X4ML4SMVQ73YREDZ3AVCNFSM6AAAAABBDZPP4OVHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM4DGMBXGIZDS>. You are receiving this because you authored the thread.

[AnnaYeung9797]

Hi, I didn’t figure out how jwt maxAge works, so I just keep it as 1 but it doesn’t really affect anything….

…

broy94 ***@***.***>於2024年3月6日 上午6:41寫道： ply to this email directly,

[zivtamary]

did anyone solve this? I'm getting 30 days no matter where I change the maxAge, either on session or Jwt

@broy94

[broy94]

Unfortunately not :/ I haven't bothered with it, I just left it at 30 days for now.

[Hackersgoddest]

did anyone solve this? I'm getting 30 days no matter where I change the maxAge, either on session or Jwt

@broy94

Yeah so if you are using Credentials, probably you might have move your providers configuration to a different file, so move that session configuration to that file and you should be able to see it working, so it should look something like this

import Credentials from "next-auth/providers/credentials";

export default {
  providers: [
    Credentials({Credentials  configuration}),
  ],
  session: {
    strategy: "jwt",
    maxAge: 60, // 60 seconds
  },
} satisfies NextAuthConfig;

[internalG]

Do you mean the global session: { strategy: 'jwt', maxAge: 60 * 5 }, can't apply to Credentials? I think all providers should be in auth.ts file.

[Hackersgoddest]

Yeah, so when using Credentials with NextAuth, especially in apps using the Edge Runtime (like middleware), certain features such as database operations might not work as expected due to limitations of the edge environment.

That’s why it’s common to separate configurations—like moving the credentials provider and session strategy into a separate file (e.g. auth.ts) that's not tied to the edge runtime.

You can read more about this in the official Auth.js docs on edge compatibility: here

[jovdim]

Has anyone solved this issue? When I set the session maxAge to 10 seconds without reloading the page, the session is automatically deleted and the user is logged out. However, if I reload the page within those 10 seconds, the session resets to the default duration of 30 days.