For how long are codes, links, and invitations valid in cidaas?
Overview
cidaas uses predefined validity periods for security-critical flows such as password reset, account verification, registration, MFA, and user invitations. These validity periods are system defaults and apply globally.
This FAQ explains the current validity durations, configurability options, and invitation behavior.
Default validity periods
The following validity periods apply to all tenants and applications:
| Flow | Type | Validity |
|---|---|---|
| Password reset | Code flow | 30 minutes |
| Password reset | Link flow | 7 days |
| Account verification (email / phone) | Code flow | 30 minutes |
| Account verification (email / phone) | Link flow | 7 days |
| Registration | Link | 1 day |
| MFA / OTP login | OTP | 10 minutes |
| User invitation | Invite URL (auth link) | 7 days |
| User invitation | Invite ID | 180 days (until used or revoked) |
Can validity periods be configured?
No. Validity periods are currently not configurable.
- Not configurable globally
- Not configurable per tenant
- Not configurable per application
What happens when an invitation link expires?
- The invite URL (shortened authentication link) expires after 7 days
- The Invite ID remains valid for 180 days, unless it is:
- Accepted
- Revoked
Once the invite URL expires, the user cannot complete the invitation using that link.
Can an admin resend or re-initiate an invitation?
Yes. Admin users can re-initiate invitations, which generates a new invite URL.
Admin UI
Go to: User invite → Invited users
API options
-
POST
/invitations
Creates a new invitation, generates the auth URL, and sends the notification (email/SMS) -
GET
/invitations/:inviteId(Public)
Reads invitation details
Returns204if the invitation is not found or expired -
PATCH
/invitations/:inviteId
Updates invitation state (reinitiated,accepted,revoked,rejected)
Re-sends the invitation when the state is set toreinitiated
Requirescidaas:users_invitepermission or admin role
Key points to remember
- All validity periods are predefined and fixed
- No app-level or global customization is supported
- Expired invitation links can always be re-initiated by admins