Are you an LLM? Read llms.txt for a summary of the docs, or llms-full.txt for the full context.
Skip to content

User Sessions

Session overview

A session is created when a user signs in. By default, sessions last 30 days and a user can have an unlimited number of active sessions.

A session is represented by a secure session token stored in signed HttpOnly cookies.

Automatic session refresh

Openfort uses a sliding session model:

  • Sessions automatically extend when the user makes authenticated requests
  • If a session is accessed within its refresh window (one day before potential refresh), the expiration extends
  • No manual "refresh token" exchange is required
  • If a session hasn't been accessed for 30 days, it expires

This approach balances security (sessions eventually expire) with convenience (active users stay logged in).

Session termination

A session terminates when:

  • The user clicks sign out
  • The user changes their password or performs a security-sensitive action
  • The session reaches its maximum lifetime (30 days without activity)
  • The session is explicitly revoked

Session token format

Session tokens are:

  • Randomly generated unique identifiers (32 characters)
  • Signed using HMAC-SHA-256 with your project's secret
  • Stored in secure, HttpOnly cookies with the openfort prefix
  • Verified against Openfort's servers on each request

The token format is {token}.{signature}, where the signature ensures the token hasn't been tampered with.

Authorizing requests with the session token

To include the current user's session token on requests to your backend, use the getAccessToken() method. The SDK handles token management internally.

const accessToken = await openfort.getAccessToken();
 
const response = await fetch(<your-api-route>, {
    method: <your-request-method>
    body: <your-request-body>,
    headers: {
        'Authorization': `Bearer ${accessToken}`,
        /* Add any other request headers you'd like */
    }
});
Verify tokens server-side
Server-side validation
Learn how to validate the access token on your backend

Log out users

To log out a user, call logout() to remove them from the browser session and clear objects from localStorage.

import { Openfort } from "@openfort/openfort-js";
const openfort = new Openfort({
  baseConfiguration: {
      publishableKey: "YOUR_OPENFORT_PUBLISHABLE_KEY"
  }
});
 
async function logout() {
  await openfort.auth.logout();
}

Upon sign out, the session is invalidated in the database and the client library removes the session stored in the browser.

Copyright © 2023-present Alamas Labs, Inc