Do API tokens expire?

[cocowalla]

The docs explain how to authenticate and obtain a bearer token for use with the API - but do the obtained tokens expire?

If so, after how long? Does the API return a particular response for expired tokens?

Thanks!

[bekanne]

@cocowalla did you find out something?

[cocowalla]

@bekanne No, and the tokens returned by Umami aren't regular JWTs, so I've no idea how to even decode them. Docs still don't say anything about expiry time either 🤷

EDIT: I also had a quick look at the code. I'm not really a TypeScript kinda guy, and I know nothing of Next.js, so it's quite possible I'm missing something, but AFAIKT, here is what I found.

When logging in, it hits saveAuth, which points to createSecureToken, which in turn uses createToken to create a JWT... and then... strangely appears to encrypt the entire JWT using AES-256-GCM, resulting in a totally opaque blob?

AFAICS, there is no expiry and tokens are valid until the Umami server restarts - but please note I've no clue how Next.js authentication works, so I'm happy to be corrected if anyone knows better 👍