As a Blissbook user, you receive various authentication tokens via email for different purposes. Understanding how these tokens work and their expiration times is crucial to smooth usage for all your employees.
What is an Access or Authentication Token?
An authentication token securely transmits information about a user's identity to Blissbook. Blissbook uses these tokens to control access to protected pages. Rather than using a username and password, a user can request a token, receive it somewhere that only they have access to (their email account), and then use it to log in.
You've experienced tokens if you've ever clicked a link in an "I forgot my password" email. To make using tokens easy, they are embedded within a link that a user can click. The token itself is encrypted so that the user's identity information can be securely transmitted through the internet to Blissbook.
For security reasons, tokens expire after a certain period of time. This protects users in case their email account is ever compromised. The bad actor cannot search through old emails and use a token to log in to that Blissbook account.
Token Expiration Times
Different actions trigger different emails with different authentication tokens and these tokens have varying expiration times.
Login/Access Tokens: When you enter your email address to trigger a login or access email, the token you receive is valid for one hour.
Invitation/Welcome Emails or Content Update Tokens: These emails are triggered when you launch your handbook, start a new signature round, or publish new changes to a document AND you choose to notify your audience. They're also included in any automated invitations or signature reminders. These tokens have a longer lifespan to give people more time to use them, since they weren't the ones who triggered the email.
For employees, the links in these emails last for 82 hours, approximately three and a half days. This means that if you send one of these emails on a Friday morning, it will still work for recipients through Monday evening.
For users with elevated permissions (such as organization administrators, team owners, and so on), these links are valid for a shorter period - only 24 hours - for security reasons.
Expired vs. Invalidated Tokens
Now, what happens if you click on a link after the token has expired? You'll be taken to the correct place, but if you aren't using Single Sign-On (SSO), you'll see a "token expired" error. Don't panic, you just need to click the blue "sign in" link to request a new tokenized link.
Here's the basic error page.
Sometimes we'll report on how long the token lived for.
For welcome and notification emails, the message you get will look like the following:
Don't forget to click on the blue "sign in" link!
At some point, you or an employee may come across an invalid token error. This generally happens when a new token has been created for someone and they are trying to use an old token. Whenever a new token is created, the previous token is invalidated.
To get through this, it's essentially the same process as with expired tokens. You're in the right place, you just need to click the blue "sign in" or "signing in again" link.
Key Takeaway
If you ever encounter a "token expired" or "token invalid" message, just click the blue "sign in" or "signing in again" link to request a new one. We've made it as simple as possible for you to continue accessing your account and the resources you need.
Remember, ensuring the security and integrity of your account is our top priority, and these token measures are a part of that commitment. If you have any further questions or issues, don't hesitate to reach out to our support team!