User's JWT with longer expiry

We are evaluating privacyIDEA to use it as standalone OTP server. Our requirements are to have minimum APIs to generate and validate OTP. We have our own mechanism to send OTP to the users. We want only generate and validate APIs.

What we understand while evaluating the product is that we need to call 4 apis in following sequence to generate and validate OTP (please correct me if wrong, and advise if there is any better option for our requirements)

1- /auth to generate JWT token
2- /token/init to create token
3- /token/setrandompin to set otp (random option can be used)
4- /validate/check (validate OTP with pin)

What we expect (not sure if possible or not)
1- /token/init to create token and get auto generated pin with no auth or fixed (longer expiry) JWT
2- /validate/check (validate OTP with pin provided by first api call with no auth or fixed (longer expiry) JWT)

We are using v3.9.2 with mariadb.

The /auth endpoint will only issue a jwt, that is valid for one hour.

You can use pi-manage to create jwts with a longer validity.

However, be aware that by design you can not invalidate an issued JWT. So if it gets compromized you need to reset your signing secret.

1 Like

Thanks for your reply. I have already created token with longer expiry using pi-manage but it can be created only for admin and validate roles. And while using this token with /token/setrandompin api, it asks to define policy for random pin under admin scope. After defining policy I was unable to use web ui properly. I may be missing something here but based on this I have two questions

1- Can I create longer expiry for users with pi-manage?
2- Is it possible to generate random pin during enrollment (/token/init) and get generated pin to minize number of API calls?