Session Settings

Your application retrieves and refreshes access tokens from the Auth.it server. These tokens provide verifiable information about the user and their associated organizations and roles. The process of expiring and refreshing these tokens also allows the Auth.it server to control the session length before the user is required to reauthenticate.

Auth.it lets you customize the session settings for your application. To do this, go to the Authentication view, scroll down to the Sessions section, and click Configure Sessions. The default values are shown below:

Here’s what the three available configuration settings mean:

• Access token lifespan (default: 300 seconds, or 5 minutes): the lifespan of a JWT access token. Your application uses its refresh token to request a new access token when the previous one expires. This happens behind the scenes without the end user noticing anything. Keep this value short to reduce the risk of attacks that exploit long-lived tokens.
• Session idle timeout (default: 1,800 seconds, or 30 minutes): the maximum idle time with no user interaction or token refreshes before the session is terminated. Once this time passes, the user must log in again the next time they interact with the application, even if the session lifespan has not yet expired.
• Maximum session lifespan (default: 36,000 seconds, or 10 hours): the maximum time, regardless of token refreshes, that a user session can remain active without reauthenticating. Even if the user is actively interacting with the application, once the default 10 hours pass, the session expires and they must log in again. This acts as a “hard cap” on session length. Long sessions can introduce security risks, so it’s not recommended to let sessions exceed 24 hours.