Skip to main content

For how long are codes, links, and invitations valid in cidaas?

Overview

cidaas uses predefined validity periods for security-critical flows such as password reset, account verification, registration, MFA, and user invitations. These validity periods are system defaults and apply globally.

This FAQ explains the current validity durations, configurability options, and invitation behavior.

Default validity periods

The following validity periods apply to all tenants and applications:

FlowTypeValidity
Password resetCode flow30 minutes
Password resetLink flow7 days
Account verification (email / phone)Code flow30 minutes
Account verification (email / phone)Link flow7 days
RegistrationLink1 day
MFA / OTP loginOTP10 minutes
User invitationInvite URL (auth link)7 days
User invitationInvite ID180 days (until used or revoked)

Can validity periods be configured?

No. Validity periods are currently not configurable.

  • Not configurable globally
  • Not configurable per tenant
  • Not configurable per application
  • The invite URL (shortened authentication link) expires after 7 days
  • The Invite ID remains valid for 180 days, unless it is:
    • Accepted
    • Revoked

Once the invite URL expires, the user cannot complete the invitation using that link.

Can an admin resend or re-initiate an invitation?

Yes. Admin users can re-initiate invitations, which generates a new invite URL.

Admin UI

Go to: User invite → Invited users

Resend-Invite

API options

  • POST /invitations
    Creates a new invitation, generates the auth URL, and sends the notification (email/SMS)

  • GET /invitations/:inviteId (Public)
    Reads invitation details
    Returns 204 if the invitation is not found or expired

  • PATCH /invitations/:inviteId
    Updates invitation state (reinitiated, accepted, revoked, rejected)
    Re-sends the invitation when the state is set to reinitiated
    Requires cidaas:users_invite permission or admin role

Key points to remember

  • All validity periods are predefined and fixed
  • No app-level or global customization is supported
  • Expired invitation links can always be re-initiated by admins