Session Management

After a user signs in, your web or mobile app holds the session and refresh tokens. The Client or Mobile SDK stores them securely, refreshes the session token when it expires, and attaches the session token to requests your app sends to your backend.

Session management on the client is not authorization. Your backend still validates every session token before serving protected resources.

PlatformWhat the SDK handlesGuide
WebRead tokens from the SDK, send them to your API, logout, optional UI checks (expiry, roles for display)View
MobileSecure storage (Keychain / EncryptedSharedPreferences), session manager, refresh, logout, attach token to API callsView

Client apps do not validate sessions

Web and mobile SDKs may check expiry or read roles for UI purposes, but that is not a substitute for server-side validation. Never rely on client-side role or permission checks to protect data.

For more information on the session and refresh token model, see the Sessions docs.

Was this helpful?

On this page