For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
Dashboard
DocumentationAPI Reference
DocumentationAPI Reference
    • What is Auth.it?
  • Getting Started
    • Quick Start Guide
    • Example Apps
  • Configuration
    • Authentication
      • Social Login
      • Password Policy
      • Multi-Factor Authentication (MFA)
      • Passkeys
      • Magic Links
      • Self-Registration
      • Session Settings
    • Branding
    • Domains
    • Email
    • Roles
  • Entities
    • Organizations
    • Users
  • Developer
    • Audit Logs
    • Webhooks
    • Applications
    • API Keys
  • Resources
    • GitHub
Dashboard
LogoLogo
ConfigurationAuthentication

Session Settings

Was this page helpful?
Previous

Branding

Next
Built with

Your application retrieves and refreshes access tokens from the Auth.it server. These tokens provide verifiable information about the user and their associated organizations and roles. The process of expiring and refreshing these tokens also allows the Auth.it server to control the session length before the user is required to reauthenticate.

Auth.it lets you customize the session settings for your application. To do this, go to the Authentication view, scroll down to the Sessions section, and click Configure Sessions. The default values are shown below: Default session settings

Here’s what the three available configuration settings mean:

  • Access token lifespan (default: 300 seconds, or 5 minutes): the lifespan of a JWT access token. Your application uses its refresh token to request a new access token when the previous one expires. This happens behind the scenes without the end user noticing anything. Keep this value short to reduce the risk of attacks that exploit long-lived tokens.
  • Session idle timeout (default: 1,800 seconds, or 30 minutes): the maximum idle time with no user interaction or token refreshes before the session is terminated. Once this time passes, the user must log in again the next time they interact with the application, even if the session lifespan has not yet expired.
  • Maximum session lifespan (default: 36,000 seconds, or 10 hours): the maximum time, regardless of token refreshes, that a user session can remain active without reauthenticating. Even if the user is actively interacting with the application, once the default 10 hours pass, the session expires and they must log in again. This acts as a “hard cap” on session length. Long sessions can introduce security risks, so it’s not recommended to let sessions exceed 24 hours.