Session Renewal
Overview
The authentication sessions in our system are crucial to maintaining secure access to the endpoints. To manage session authentication, we employ two different timeouts: refresh token timeout and access token timeout.
Refresh Token Timeout
The refresh token timeout defines the overall duration of the session, with a default value of 100 days. This extended duration allows users to remain logged in for an extended period, eliminating the need for frequent reauthentication.
Access Token Timeout
On the other hand, the access token timeout does not affect the overall session duration. Instead, it dictates the frequency of session refreshes, which is set to occur every hour of inactivity. The primary goal of this timeout is to enhance session security by requiring periodic reauthentication, without negatively affecting the user experience.
By employing these two timeouts, we ensure that users can access the endpoints securely without compromising the safety of their data.
Token Renewal Endpoint
To refresh an expired access token, use the /auth/session/refresh endpoint. This endpoint retrieves the refresh token from cookies and issues a new access token, valid for another hour.
Example Request
By default, the renewed tokens are saved within cookies. You can also choose to get the new tokens via header or body response:
- by setting the header
'st-auth-mode': 'header'you will receive the access token and refresh token in the response header - by setting the header
'fg-auth-mode': 'body'you will receive the access token and refresh token in the response body