The difference with a password reset email though is that it unlocks all of the user's existing data - posts, images, contacts, whatever.
For our invite emails, there is no user data yet, since we are inviting them to join as a new user (in our system - HR SaaS - they are actually a candidate). So there is no exposure in having invite links that work for a week or longer.
In some other use cases, yes a new user will see some sensitive data, e.g. their teammates contact details. In that situation there is a case for very short-lived invite links (just as for password resets).
But still we could do so much better than making them enter the email address again.
I think this is an underdeveloped area of usability in auth systems (that I'm familiar with anyway).
The difference with a password reset email though is that it unlocks all of the user's existing data - posts, images, contacts, whatever.
For our invite emails, there is no user data yet, since we are inviting them to join as a new user (in our system - HR SaaS - they are actually a candidate). So there is no exposure in having invite links that work for a week or longer.
In some other use cases, yes a new user will see some sensitive data, e.g. their teammates contact details. In that situation there is a case for very short-lived invite links (just as for password resets).
But still we could do so much better than making them enter the email address again.
I think this is an underdeveloped area of usability in auth systems (that I'm familiar with anyway).