Overview

The authentication sessions in our system are crucial to maintaining secure access to the endpoints. To manage session authentication, we employ two different timeouts: refresh token timeout and access token timeout.

Refresh Token Timeout

The refresh token timeout defines the overall duration of the session, with a default value of 100 days. This extended duration allows users to remain logged in for an extended period, eliminating the need for frequent reauthentication.

Access Token Timeout

On the other hand, the access token timeout does not affect the overall session duration. Instead, it dictates the frequency of session refreshes, which is set to occur every hour of inactivity. The primary goal of this timeout is to enhance session security by requiring periodic reauthentication, without negatively affecting the user experience.

By employing these two timeouts, we ensure that users can access the endpoints securely without compromising the safety of their data.

Token Renewal Endpoint

To refresh an expired access token, use the /auth/session/refresh endpoint. This endpoint takes the refresh token and issues a new access token valid for another hour alongside a new refresh token.

Refreshing Token using Cookies

If you previously signed up or logged in using the cookied based authentication mode then you just have to make sure that with the below request you are sending the cookies along. For the normal use cases where this request is fired from a browser this happens by default as long, as your fastgen project and your website which triggers this refresh request runs on the same top level domain. If they run on diffent domains have a look at the other authentication modes.

If successful, your cookies get automatically updated to contain the new access token and refresh token.

Refreshing Token using Header or Body based authentication

If you previously signed up or logged in using the header or body based authentication mode then you have to actively send the refresh token to the endpoint by specifying it in the Authorization header like below. Also don’t forget to set either the 'st-auth-mode': 'header' or 'fg-auth-mode': 'body' header which will control if the new access token and refresh token are sent back to you within the header or body of the response.

Common Error Responses

  • If you receive message: "token theft detected" as a response that means you tried calling the Refresh Endpoint with an old Refresh Token for which there has already been issued a new Access Token and Refresh Token pair.