Project Dable Service Account - JWT expiration after 1 day

Hi Team,

We are noticing that the JWT tokens for our service account expire after one day.
We are on a ProjectDable Pro account

Is there maybe a configuration we missed that would allow for 30 days valid JWT token ?

3 Likes

Hi @bartcant.

Even though the service account JWTs expire after one day, the service account credentials are valid for thirty days. This and other supporting detail about service accounts is available in the docs, here: https://docs.projectdabl.com/api/iam/#service-accounts. Practically, it means that an application should track the lifetime of the service account credential and periodically re-exchange it for a ledger JWT, so as to continue having a valid ledger access token over the lifetime of the service account credential.

This combination of responsibilities provides a workable usability and operational risk trade off for the current implementation of services, though stay tuned, as this feature may become easier to use in the future!

2 Likes

Thanks for the explanation

1 Like

Hey Max

Could we have a call about this tomorrow ? having a token that expires means we need to redeploy our react ui every day.
Can you guide us on when the token expires exactly ?
Is this after 24hrs or on a certain time in the night ?
Do you have any best practices for automating the redeployment to projectdable ?

Thanks for your insights on this

Hey Bart.

I’m happy to chat about the use case here, the Service Account feature is intended for those people that are deploying ledger accessing bots on their own infrastructure, so as to allow their automation to authenticate itself to DABL’s ledger API, without a human person being present.

If a human person is present, then I’d expect that that person could authenticate ledger requests as themselves, using tokens granted through the login flow.

All the ledger access tokens expire in 24 hours by design, in order to limit the risk of unauthorized access arising from the potential for credential theft.

What you are saying here suggests that there is a usage of Service Accounts that is not actually making use of the thirty day expiration window of the service account credential (even as the JWTs granted by the SA flow are only valid for 24 hours), because if the credential were being used to be exchanged for a ledger access token, then you would not have to redeploy every day, but instead every thirty days.

Would you kindly elaborate on how you are using service accounts here, that requires a daily redeploy? That is the sort of thing that the feature is suppose to allow our users to avoid. Which component of your system is requiring authenticated ledger access? Can that access by performed by a person manually, or must it be done automatically by a bot? In the case where it must be done automatically by a bot (the target use case for Service Accounts), how are you deploying the component that performs that authenticated ledger access?

I can walk you tomorrow through our current configuration
please send me a convenient time tomorrow at bart@rtledgers.com and I can setup a zoom call