Appearance
Token Lifecycle & Performance Tuning
ProAuth supports two token storage backends: a Redis state store (via Dapr) and a SQL database. The applicable tuning settings depend on which backend is active.
INFO
The token backend is determined by the Dapr configuration. When Dapr is enabled and a state store component is configured, ProAuth automatically uses the Redis/state-store backend. When Dapr is disabled, the SQL database backend is used.
Redis / State-Store Backend
When Dapr is enabled, tokens are stored in Redis using Dapr's state management. Redis natively handles expiry through TTL metadata, so active tokens expire automatically when their exp claim is reached.
Revoked Token Retention
By default, revoked tokens are not immediately deleted from Redis. Instead, ProAuth re-saves them with a revoked marker and a short TTL so that all ProAuth instances can observe the revocation state during a bounded propagation window.
| Value | Behaviour |
|---|---|
120 (default) | Revoked token stays in Redis for 2 minutes, then Redis removes it automatically. |
> 0 | Revoked token stays in Redis for the configured number of seconds. |
0 | Revoked token is hard-deleted from Redis immediately upon revocation. |
WARNING
Setting this value to 0 means revoked tokens are deleted immediately. In a multi-instance deployment, there is a brief window (bounded by Redis replication/propagation) where another ProAuth instance may not yet have observed the deletion. Use 0 only if your deployment topology and SLA permit this trade-off.
For most deployments the default value of 120 seconds is appropriate.
Configure in your values.yaml under appsettings.baseservicesettings:
yaml
appsettings:
baseservicesettings:
tokenstatestorettlafterrevocationinseconds: 120Per-User Token Index Concurrency
ProAuth maintains a per-user index of active token IDs in Redis. In a multi-instance deployment, concurrent requests (e.g. simultaneous token issuance and refresh for the same user) can race to update this index.
ProAuth uses optimistic concurrency (ETag-based conditional writes via Dapr) with exponential back-off retries. This setting controls the maximum number of retry attempts before an error is raised.
| Value | Behaviour |
|---|---|
8 (default) | Up to 8 retries; worst-case back-off is approximately 2.5 seconds total. |
| Lower values | Faster failure under pathological contention, at the cost of more errors. |
| Higher values | More resilient to extreme concurrent load, but increases worst-case latency. |
In realistic workloads the first or second attempt succeeds. Only under very high concurrency on the same user (e.g. large-scale device-code flows) will retries be needed.
Configure in your values.yaml under appsettings.baseservicesettings:
yaml
appsettings:
baseservicesettings:
usertokensmaxconcurrencyretries: 8Database Backend
When Dapr is disabled, tokens are persisted in the ProAuth SQL database. Expired and revoked tokens are cleaned up by a background job.
Token Prune Interval
Controls how frequently the background job runs to remove expired and revoked tokens from the database.
| Value | Behaviour |
|---|---|
60 (default) | Pruning runs every 60 minutes. |
| Lower values | More frequent cleanup; useful for smaller token tables in high-traffic environments. |
| Higher values | Less frequent cleanup; lower background load. |
INFO
This setting has no effect when using the Redis/state-store backend. In that case, Redis TTL handles expiry natively and the prune job is a no-op.
Configure in your values.yaml under appsettings.baseservicesettings:
yaml
appsettings:
baseservicesettings:
tokenstorepruneintervalinminutes: 60Full Example
The following values.yaml snippet shows all three settings with their defaults. Uncomment and adjust only the values you want to override.
yaml
appsettings:
baseservicesettings:
# Redis / state-store token backend (Dapr enabled):
#tokenstatestorettlafterrevocationinseconds: 120 # seconds; 0 = immediate hard-deletion
#usertokensmaxconcurrencyretries: 8 # optimistic-concurrency retry cap
# Database token backend (Dapr disabled):
#tokenstorepruneintervalinminutes: 60 # minutes between prune job runsSummary
values.yaml key | Backend | Default | Description |
|---|---|---|---|
tokenstatestorettlafterrevocationinseconds | Redis | 120 | Seconds a revoked token is retained in Redis. 0 = deleted immediately. |
usertokensmaxconcurrencyretries | Redis | 8 | Max optimistic-concurrency retries for per-user token index updates. |
tokenstorepruneintervalinminutes | Database | 60 | Minutes between background token-prune job runs. |