Skip to content
LogoLogo

User authentication security

Openfort designs its authentication system with security as a core principle. This document explains how Openfort protects user sessions, how tokens work, and best practices for secure authentication.

Token architecture

Openfort uses a token-based authentication system that provides security and scalability.

Session tokens

Openfort issues a session token when a user authenticates. The token:

  • Uses a randomly generated unique identifier (32 characters)
  • Receives a cryptographic signature with HMAC-SHA-256 using your project secret
  • Has a default expiration time of 30 days
  • Automatically refreshes on user activity

By default, Openfort stores session tokens in signed HttpOnly cookies. A user can have an unlimited number of active sessions.

The token format is {token}.{signature}, where the signature ensures no tampering.

Token verification

Openfort verifies every session token against its servers to ensure:

  1. Authenticity: Openfort issued the token.
  2. Integrity: No one modified the token.
  3. Validity: The session has not expired or been revoked.
import Openfort from "@openfort/openfort-node";
 
const openfort = new Openfort(process.env.OPENFORT_SK, {
  publishableKey: process.env.OPENFORT_PUBLISHABLE_KEY,
});
 
// Verify a user's session token
const session = await openfort.iam.getSession({
  accessToken: userSessionToken
});
 
// Access verified user information
console.log("User ID:", session.user.id);
console.log("Session expires:", session.session.expiresAt);

Security mechanisms

Tamper detection

Openfort invalidates the session immediately if it detects token tampering. The user must re-authenticate. Openfort destroys the corresponding backend session. You can configure a webhook to notify your server of the security event.

Session invalidation

Sessions invalidate through:

  • User action: Explicit sign-out.
  • Security-sensitive actions: Password changes.
  • Token expiration: Automatic after 30 days without activity.
  • Forced revocation: Through the Openfort dashboard or API.
  • Security detection: Automatic on tamper detection.

Openfort uses a sliding session model:

  • Sessions extend automatically when the user makes authenticated requests.
  • The expiration extends if a session receives access within its refresh window (one day before potential refresh).
  • No manual refresh token exchange occurs.
  • Sessions expire if not accessed for 30 days.