Is it possible to have multiple API Access Tokens for one user? Our system allows one user to have multiple sessions open, these can span multiple web app servers; we’re trying to figure out token management regarding the requirement for after 15 minutes of inactivity, purge tokens (NHS CIA Ses Req 005/006). If we could have multiple tokens per user, we could treat each session separately, assigning one token to each and if one session was inactive for more than 15 minutes it wouldn’t purge tokens for the other sessions.
If a user can only have one token at a time we’ll need to do some web platform changes to allow the different web app servers to share one token and inactivity monitoring across multiple sessions.
A user can have multiple CIS2 Auth sessions open at any time (the limit is 10 concurrent sessions, the 11th will automatically kill the 1st). Each session will have a unique id_token and correspondingly unique access_tokens for API-M.
As part of the BCL request we will notify you which session (or all) has ended