SuperTokens is an open source authentication solution offering features like: Different types of login: Email / password, Passwordless (OTP or Magic link based).

SuperTokens.com

Hi. Is there any way to change expiration time of tokens depending on the way session created?
Now user gets its session using `auth/signinup/code`, then sends otp (we use passwordless recipe) `auth/signinup/code/consume` which gives them tokens. This works fine, but now we want users of mobile app, which we are developing have tokens which will expire after a day, not after several hours as now.
TIA.

Hi <@480777281548320779> 

At the moment thats not possible, out of curiosity though why would you need this?

If you use the mobile SDKs it will handle auto refreshing for you, in which case a shorter access token expiration would not be a problem

Hi <@292333473786494976> 
Thank you for your answer. 

In addition to the fact that mobile app users shouldn't constantly re-enter using the app, we want to understand what session was issued from the mobile app to limit access to certain roles. For example, the mobile app cannot be used by an organization administrator (business logic) 
If auto refresh is done by the mobile SDK, the question arises 
Is it possible to define another path `auth/mobile/signup/code` that does the same thing as the default `auth/signup/code`, only I can limit the roles that can use this path?

So there will be 2 routes - `auth/mobile/signup/code`  (for mobile app) and `auth/signup/code` (for other)

You could send additional information in the request for mobile users and then set different roles for that user using the overrides feature in the backend SDKs

That way you wont have to maintain duplicate routes

For example you could send a custom header or request body property for mobile users, the override the `auth/signup/code` API to consume that information and do some custom logic

But yes it is possible to create your own route and then call the function exposed by the Passwordless recipe

Which will do the same thing as the default API

But I would recommend the override approach

Oh, i see. How i can add business logic to  auth/signup/code ?

Right im not too familiar with python syntax but I can help explain what you would want to do:

On your backend you would want to override the `/signinup/code/consume` API (Refer to this for overrides https://supertokens.com/docs/passwordless/advanced-customizations/apis-override/usage). This API is responsible for signing up users after they enter the code

In this API check if the request contains the custom header/body property that your mobile users would send. If it contains it, you can set different roles than the ones you normally would for this user

When overriding the API, you have access to an `api_options` variable which the api receives as an input. This will allow you to read the original request and any custom properties you may have set

Happy to help! Feel free to reach out if you face any issues setting this up