Impact CRM uses JWT Authenticator.
On each request, the JWT (JSON Web Tokens) is passed as an HTTP header with a specific name X-Auth-Token. The server validates the token and upon each successful validation, resources are accessed.
There are two types of Token Expiration in Impact CRM both types are not configurable by an administrator.
AuthenticatorIdleTimeout
The duration an authenticator can be idle before it times out.
Example:
If the value is 5 minutes then an end-user will be automatically logged out if his/her last action on the site was after 5 minutes and 1 second. If he/she perform any action on the site before the authenticator times out then the countdown is reset and the end-user has a further 5 minutes until the authenticator times out.
Impact CRM Default AuthenicatorIdleTimeout value is set to 200 hours
AuthenticatorExpiry
The duration an authenticator expires after it was created.
Example:
If the timeout is set to 8 hours, then the end-user will be automatically logged out after 8 hours.
Impact CRM Default AuthenicatorExpiry value is set to 240 hours.
Notes:
When a user signs out from the application it does not mean that the JWT becomes invalid. Therefore, the AuthenticatorExpiry value is set to such low figure.
Warning: JWTs are credentials, which can grant access to resources. Be careful where you paste them!