avoid using custom or proprietary tokens in favor of open industry standards such as JSON Web Token (JWT). All access tokens must expire within a reasonable amount of time (less than 24 hours) and refresh intervals should reflect the security characteristics of the data being accessed. Use fine grained access and the principle of least permission when defining tokens