Re: [keycloak-user] Any advice on using Offline or Real-time Access Token validation?

Has anyone else had to make a decision which one to use? Any guidance or thoughts you could share? ______________________________________________ I usually take a hybrid approach. Use offline e with short lived tokens (1-2 minutes). That way a single app "request" would rarely require more then a single refresh across multiple API calls but if the session is terminated there's a much smaller amount of time that the token can be abused. This also depends on how sensitive the data/app is. If the data is really sensitive I would suggest not going with offline tokens but that's dependent on your appetite for risk.