Skip to main content

Sessions

Manage user sessions across multiple devices.

List Sessions

const sessions = await client.auth.listSessions();
// [{ id, metadata: { ip, userAgent, lastActive }, createdAt }, ...]

Revoke a Session

await client.auth.revokeSession('session-id');

Multi-Device Support

EdgeBase supports multiple simultaneous sessions per user. Each sign-in creates a new session with:

  • IP address — Client IP at sign-in time
  • User-Agent — Browser/device info
  • Last activity — Updated on token refresh

Refresh Token Rotation

Each token refresh issues a new refresh token and invalidates the old one:

Client → POST /auth/refresh (old refreshToken)
Server → { accessToken: "new...", refreshToken: "new..." }
         (old refreshToken invalidated)

A 30-second grace period allows in-flight requests using the previous refresh token to succeed.

Grace Period Details

When a refresh token is rotated, the previous token remains valid for 30 seconds. This prevents race conditions when multiple browser tabs or concurrent requests attempt to refresh the token simultaneously.

  • During the 30-second window, both the old and new refresh tokens are accepted
  • After the 30-second window expires, using the old token triggers token theft detection -- the entire session is revoked (all tokens invalidated)
  • This protects against stolen refresh tokens while being tolerant of normal concurrent usage patterns

Session Limits (maxActiveSessions)

Control the maximum number of concurrent sessions per user. When the limit is reached, the oldest session is evicted (FIFO) to make room for the new sign-in.

auth: {
  session: {
    maxActiveSessions: 5  // 0 = unlimited (default)
  }
}
Config ValueBehavior
0 (default)Unlimited sessions
1Single session only -- new sign-in evicts the previous session
5Up to 5 concurrent sessions; oldest evicted when limit is reached

The oldest session (by createdAt) is deleted to make room for the new session. See Session Management for detailed eviction logic and examples.

Token Lifetimes

TokenDefault TTLStorage
Access Token15 minutesMemory only
Refresh Token28 dayslocalStorage / secure storage

Configure in edgebase.config.ts:

auth: {
  session: {
    accessTokenTTL: '15m',
    refreshTokenTTL: '28d',
  }
}

JWT Key Rotation

Use npx edgebase keys rotate-jwt to rotate JWT_USER_SECRET and JWT_ADMIN_SECRET simultaneously without logging users out:

npx edgebase keys rotate-jwt
npx edgebase deploy  # Required: activate new secrets
  • Old secrets are preserved as JWT_USER_SECRET_OLD / JWT_ADMIN_SECRET_OLD
  • 28-day grace period — matches Refresh Token TTL, so no active user loses their session during rotation
  • Access Tokens (15m TTL) expire naturally — no grace period needed
  • After 28 days the old secrets are automatically ignored
note

The grace period only covers signature mismatch errors. Expired tokens are rejected regardless.

Next Steps

  • Session Management — Configure session limits (maxActiveSessions), eviction logic, and cleanup behavior
  • Password Policy — Configure password strength requirements and leaked password detection