As a customer administrator with Webex Pro Pack, you can create a custom token policy for your Webex App for web, mobile or desktop users. A custom token policy gives you control over the following:

  • Turn on or off auto-extend refresh token

  • Specify the time-to-live (TTL) of the JSON web token (JWT)

  • Specify the TTL of the refresh token

With these features, you can control how often users are required to login on mobile, desktop, or web clients. As a compliance requirement, you may want your users to reauthenticate to make sure they are using the latest security policy in your organization.

Your Control Hub-managed organization must be enabled for Pro Pack. If you're not subscribed to Pro Pack, the token policy settings are greyed out when access organization settings in Control Hub.

With these settings, you can manually specify the refresh and access token intervals.


The default setting is that auto-extension of refresh tokens is disabled. Only change this setting if you want to manually specify the Time-to-Live (TTL) for the refresh tokens and access tokens for users in your organization.


From the customer view in, go to Management > Organization Settings > Authentication, and then scroll to Token policy.


Toggle on the Auto-extend refresh token setting for Mobile and (or) Desktop.


Desktop includes Webex App for Web.

This setting gives a new Time-to-Live (TTL) for the refresh token. Changing this setting changes the TTL the next time a user is issued a refresh token. As long as user accounts are not revoked in your directory, users get a new refresh token and maintain a valid session.


Specify a value for Refresh token TTL.

This setting controls the time that the refresh token is valid, allowing new access tokens to be created for users. The valid range is 24–1440 hours.


Specify a value for Access token TTL.

If the refresh token is valid, an access token is created within the time limit that you set. The valid range is 360–1080 minutes.


Save your changes to apply the changed settings.

The settings are applied next time a user uses a mobile or desktop client.

Configure this setting if you want to control how many Refresh Tokens can be issued per user per client. For example, you may want to minimize the simultaneous logins for compliance or maximize the logins for users who need to authenticate on multiple mobile devices or desktop workstations.


From the customer view in, go to Management > Organization Settings > Authentication, and then scroll to Token policy.


For Max. num of refresh tokens, set a value for Mobile and Desktop as needed.

The valid range is 10–100 sessions.


Save your changes to apply your settings.

What to do next

A user who successfully authenticates from a client that exceeds the number of refresh tokens has one of their existing tokens revoked after authentication. If the token expires, users are forced to reauthenticate.