Session Management
After a user signs in, your web or mobile app holds the session and refresh tokens. The Client or Mobile SDK stores them securely, refreshes the session token when it expires, and attaches the session token to requests your app sends to your backend.
Session management on the client is not authorization. Your backend still validates every session token before serving protected resources.
| Platform | What the SDK handles | Guide |
|---|---|---|
| Web | Read tokens from the SDK, send them to your API, logout, optional UI checks (expiry, roles for display) | View |
| Mobile | Secure storage (Keychain / EncryptedSharedPreferences), session manager, refresh, logout, attach token to API calls | View |
Client apps do not validate sessions
Web and mobile SDKs may check expiry or read roles for UI purposes, but that is not a substitute for server-side validation. Never rely on client-side role or permission checks to protect data.
For more information on the session and refresh token model, see the Sessions docs.
Was this helpful?
