Skip to main content

Token Types

In a KOBIL Shift Lite or KOBIL Digitanium+ environment, there are 4 types of tokens:

TokenUsageMC StorageIDP Parameter
Access TokenUsed for authentication against KOBIL services. Has the shortest lifetime (e.g., 2 minutes). After expiration, MC obtains a new token using the Refresh Token.In MemoryAccess Token Lifespan, ...
Refresh TokenUsed at runtime to update the Access Token when expired. Has a longer lifetime than the Access Token (e.g., 30 minutes). After expiration, MC obtains a new token using the Offline Token.In MemorySSO Session Max, ...
Offline TokenUsed for obtaining a new set of tokens when the app has not been used for an extended time and other tokens have expired. The MC requests and securely stores these tokens. During verification, the IDP checks that the identical Offline Token is presented and is still valid. Depending on the Authentication Mode, the user can either continue using the app or must perform biometric authentication. Has the longest lifetime (e.g., 90 days). After expiration, the user must perform an online login to the IDP with their credentials. Offline Tokens are a special kind of Refresh Token with scope offline_access.PersistentOffline Session Idle, ...
Authorization-Grant TokenUsed for obtaining a new set of tokens as an alternative to Offline Tokens. The MC generates a key pair where the private key is protected using OS-level security (e.g., biometrics) and the public key is registered in the AST backend. When requesting tokens, the MC creates and signs a JWT with the private key. The IDP verifies the signature against the stored public key. This method is expected to replace Offline Tokens in the future.PersistentOffline Session Idle, ...

Both the Offline Token and the Authorization-Grant Token transmit AST-Client-Data, enabling verification of app integrity and device binding.

KOBIL Digitanium+ uses either Refresh Token, Offline Token, or Authorization-Grant Token.

Token Lifetime Hierarchy

It is important that the configured token lifetimes follow this hierarchy:
Access Token < Refresh Token < Offline Token

Token Rejection and Fallback

The Security Server can reject token updates at any time. For example, when the change PIN flow disables all user tokens for all devices on the server side. In such cases, you must perform an online login.

Deleting Tokens

You can delete tokens stored by the SDK using the ClearIamTokenCacheEvent as described in the Logout section for KOBIL Shift Lite and KOBIL Digitanium+.