Project Settings

This guide covers all the customizable settings for your Descope project. Configure these settings on the Project Settings page of the Descope Console.

Project Creation

When you create a new Descope Project, you can configure the following settings:

• Project Name: Name of your project. Can be modified later.
• Region: We support multi-region data residency. The region (US or EU) is selected during the project creation and cannot be changed after the project has been created.
• Environment Settings: Choose whether or not the project has the production tag. This is meant primarily to be an internal identifier, but Static OTP for Test Users will be disabled in production tagged projects. You can also add additional custom tags to the project. Can be modified later.
• Project Configuration: Choose whether or not to clone the configurations of an existing project in the same company. This will not clone user data.

Once a Descope Project has been created, you can edit the following settings from the Project Settings page of the Descope Console.

General Settings

Under the General tab on the Project Settings page, you can configure the following:

General

You can modify the Project Name and Environment Settings previously set during Project Creation.

Additionally, you can configure the URL of your application, and configure a custom domain.

Security

Approved Domains

Configure domains allowed for redirect and verification URLs across authentication methods. Leaving this empty disables validation and creates security vulnerabilities.

• Web Domains: Enter domain only, without protocol (e.g., example.com not https://example.com)
• Mobile App Schemes: For custom schemes like descopewebauth://redirect, enter the identifier (e.g., redirect) to enable secure mobile authentication flows.

All redirect URIs are validated against this trusted domain list to maintain security.

Federated Apps

Define the default access to Federated Apps for new users.

Signing Keys

Here you can view, manage, and rotate JWKs, keys used for verification of JWTs by the Authorization Server.

Sign Ups and User Invitations

Sign Up

Check Block self-registration sign up to restrict new user sign up.

With this setting enabled, users can only sign in if they have been previously invited to your project or by using SSO to sign in.

User Invitations

This is where you can define how invitations are sent to users and customize the invitations.

• User Invitation Redirect URL:

  This URL is included in the invite email/SMS sent to the end user. It is typically the login or sign-up page of the application.

• Add a Magic Link token to the Invitation Link:

  For a smoother authentication experience, add a Magic Link to your user's invitation email/SMS, so that upon clicking - only verification is needed. You can also define the token expiration time here. To handle a Magic Link token in the flow, refer to the Verify Token guide.

• Invitation Sending Methods:

  Choose to send the invitation via Email and/or Text Message (SMS). For both options, you can configure the messaging connector to use, as well as the template. For more details on configuring messaging templates, refer to our messaging templates guide.

Test Users

Define a regex pattern to match Login IDs during sign-up. Users with matching Login IDs are automatically marked as test users. Here, you can also configure a Static OTP Code to be used for the test users' verifiers (email and phone).

For complete setup instructions and advanced configuration options, see the Test Users Guide.

Project Management

You can manage the cloning, export, and import of projects within this section of Project Settings. For details, review our dedicated guide on Managing Environments.

Session Management

Under the Session Management tab on the Project Settings page, you can configure the following:

Token Format

Here you can assign the JWT Templates that JWTs generated by this project will use. Both User and Access Key JWT Templates can be assigned here.

Refer to the JWT Templates Settings documentation to learn how to configure JWT Templates.

Token Expiration

Define default expiration times for different tokens used for authentication.

Refresh Token Timeout

Expiry time for the refresh token, after which the user must log in again.

Refresh Token Rotation

When enabled, every time the user refreshes their session token (using the refresh token) - the refresh token is also updated to a new one. This method is considered a more secure approach.

To learn more, check out our Refresh Token Rotation guide.

Session Token Timeout

Expiry time of the session token, used for accessing the application's resources. Value needs to be at least 3 minutes and can't be longer than the Refresh Token Timeout.

Step Up Token Timeout

Expiry time for the Step Up token, after which the step up token will not be valid, and the user will automatically go back to the Session token.

Trusted Device Token Timeout

Expiry time of the trusted device token. Value needs to be at least 3 minutes.

Access Key Session Token Timeout

Expiry time of the access key session token. Value needs to be at least 3 minutes and can't be longer than 1 month.

Session Inactivity

Detect idle sessions and close them on behalf of the user, to protect sensitive information. An idle session occurs when there is no user activity within the system for the specified duration.

Token Response Methods

Configure how tokens are managed by the Descope SDKs. For both the refresh and session token, you can choose to Manage in response body or Manage in cookies.

Refer to our Session Token Management Guide for best practices.

Session Migration (Beta)

Enable seamless migration of existing user sessions from another vendor to Descope. Refer to our Session Migration doc for more details.

JWT Templates

Under the JWT Templates tab on the Project Settings page, you can configure JWT Templates for User and Access Tokens. Refer to our JWT Templates doc for more details.