Recommended Configurations

JFrog REST APIs

Content Type
REST API

The following configurations in the ‘access.config.yml’ will apply the configuration changes required for the API.

Note

  • If expiry is forced but expires_in was not provided in the request, the default expiry shall be set for users.

  • An admin can restrict user identity tokens refresh-ability (i.e., disallow creating as refreshable)

default-expiry

  • The default expiry period in seconds, this is the token expiry when the expiry is set to null.

  • When set to zero, default expiry is not forced.

  • Must be non-negative.

  • Must comply with ('max-expiry' >= 'default-expiry').

  • Default value: 1 year

max-expiry

  • The maximum possible expiry of non-admin tokens.

  • It is recommended to set a max-expiry value: when it is not set or set to zero, Admins can set the token to be non-expirable, and users can set the expires_in parameter to any value.

  • When set to more than zero, non-expirable tokens are forbidden for users, and the user's token expiry will be limited to the max-expiry value.

  • Must be non-negative.

  • Must comply with ('max-expiry' >= 'default-expiry').

  • Default value: 0

allow-refreshable

  • When disabled, all the user tokens will be created as non-refreshable.

  • Default: true

‘access.config.yml’ Example:

token:
  default-expiry: 31536000
  max-expiry: 0
  allow-refreshable: true