Nonces are generated numbers used to verify origin and intent of requests for security purposes.

A new one is created if one logs out and then back in.

https://developer.wordpress.org/plugins/security/nonces/

We can verify a supplied nonce value against the value WP created. It returns true or false.

As the WP nonce was created on the page in WP, we can be sure the data received came from that page.

WP uses the tick cycle of 12 hrs starting from midnight.

A nonce is valid for 2 ticks, so a tick will not be valid in the third tick, so a maximum of 24hrs not a full 24hrs.

Great article on nonces: https://www.bynicolas.com/code/wordpress-nonce/

Session Token:
$PageNonce = wp_create_nonce('NoncePageTest')
PageNonce = a1b3da5ea2
Invalid Nonce $InvalidNonce set by us:
InvalidNonce = 3dd3445tt3r33
Verify our CREATED NONCE: wp_verify_nonce($PageNonce,'NoncePageTest')
NONCE is VALID
Verify our INVALID NONCE: wp_verify_nonce($InvalidNonce,'NoncePageTest')
NONCE is INVALID

https://developer.wordpress.org/rest-api/using-the-rest-api/authentication/

https://developer.wordpress.org/reference/functions/wp_nonce_field/

https://codex.wordpress.org/WordPress_Nonces

https://pantheon.io/blog/nonce-upon-time-wordpress