Support of a 24-hour token expiration
A 24-hour token expiration refers to a security mechanism where authentication tokens, which are generated after successful login or authentication, have a limited lifespan of 24 hours. Once this period elapses, the token becomes invalid and cannot be used for any further authentication attempts.
The purpose of implementing a 24-hour token expiration is to ensure periodic reauthentication and enhance system security. By setting a time-based expiration for tokens, the system enforces users to reauthenticate within a reasonable timeframe. This helps mitigate the risks associated with prolonged sessions and unauthorized access to sensitive information or functionalities.
Please note: A 24-hour token expiration is applied only in web version of the application, for mobile version ApprovalMax supports setting up a pin/ biometric,
Security - most frequently asked questions
Below, you'll find the answers to the most frequently asked security-related questions: ApprovalMax is GDPR compliant ApprovalMax supports Xero SSO, QuickBooks Online SSO, Google SSO, Microsoft SSO ApprovalMax supports Xero OAuth 2.0 ApprovalMax ...
Does ApprovalMax support SAML?
Currently, ApprovalMax does not support SAML. However, we'll consider this for future enhancements. For questions related to information security, please refer to our Security Portal.
When you send the POST request to the token endpoint, the endpoint validates the request parameters to ensure the authenticity and validity of the code. It checks factors such as the expiration of the code and whether it matches the client ID. If the ...
How to contact support
Organisation Administrators, Account Owners, and Practice Staff Managers (Partner accounts) have access to technical support to address any questions or issues they may encounter. Please use the “Contact Support” button directly in the product: Or ...
How to exchange an authorisation code for an access token
Once you have obtained the authorisation code from the user, you can proceed to exchange it for an access token. When making this exchange, it is recommended to request the "offline_access" scope, which allows you to receive a refresh token in ...