Hi, If I build a PWA and use Xano for authentication, am I correct in thinking that the user will not need to login every time they use the app? They should stay logged in as long as the Xano auth token isnt expired correct?
Ha! That’s a great question. I’m thinking you’re correct but I’m not sure. Let me ask the tech team and get back to you on that one 
Hi Mark, yes, the user will stay logged in. I need to add a few comments, though:
- Xano sets the token validity by default to 24 hours but you can change it to “never expire.”
- never expiring the token is not a good practice from a security standpoint, if you are probably implementing authentication for a reason in the first place
- especially on a mobile device, if someone gets hold of that device and manages to get into the device and your app will be on the device with never expiring token
I am sure you have your reasons and you thought it through, I just want to throw in a few words of caution.
2 Likes
I figure I’d point this out if anyone else has this issue—
- You can change the expiration time in Xano, but you might run into some UX problems if you don’t change it on the front-end as well.
- We’ve run into this where users tell us they get “kicked out” regularly, and we believe it’s due to the mismatch in the expiration time on the back-end and front-end.
- We plan to add some custom JavaScript after WeWeb’s Xano plugin’s login function to update the cookie (or rather, overwrite it) to prevent this.
I’m not sure if this is a good practice. I imagine someone around here like @raydeck might know better, but this is the route I’ve come to with ChatGPT.