# User Sessions

## Session overview

A session is created when a user signs in. By default, sessions last **30 days** and a user can have an unlimited number of active sessions.

A session is represented by a secure session token stored in signed HttpOnly cookies.

## Automatic session refresh

Openfort uses a **sliding session** model:

* Sessions automatically extend when the user makes authenticated requests
* If a session is accessed within its refresh window (one day before potential refresh), the expiration extends
* No manual "refresh token" exchange is required
* If a session hasn't been accessed for 30 days, it expires

This approach balances security (sessions eventually expire) with convenience (active users stay logged in).

## Session termination

A session terminates when:

* The user clicks sign out
* The user changes their password or performs a security-sensitive action
* The session reaches its maximum lifetime (30 days without activity)
* The session is explicitly revoked

### Session token format

Session tokens are:

* Randomly generated unique identifiers (32 characters)
* Signed using HMAC-SHA-256 with your project's secret
* Stored in secure, HttpOnly cookies with the `openfort` prefix
* Verified against Openfort's servers on each request

The token format is `{token}.{signature}`, where the signature ensures the token hasn't been tampered with.

## Authorizing requests with the session token

To include the current user's session token on requests to your backend, use the `getAccessToken()` method. The SDK handles token management internally.

```ts
const accessToken = await openfort.getAccessToken();

const response = await fetch(<your-api-route>, {
    method: <your-request-method>
    body: <your-request-body>,
    headers: {
        'Authorization': `Bearer ${accessToken}`,
        /* Add any other request headers you'd like */
    }
});
```

<HoverCardLayout>
  <HoverCardLink description="Learn how to validate the access token on your backend" href="/products/server/access-token" title="Verify tokens server-side" subtitle="Server-side validation" icon={Shield} color="#10B981" />
</HoverCardLayout>

## Log out users

Upon sign out, the session is invalidated in the database and the client library removes the session stored in the browser.

:::note
When a session is revoked (via logout or password change), the session is immediately invalidated in the database. The user is logged out on their next request when the session token is verified.
:::