User Session (JWT/Authorization)
Understand how to onboard with the Openfort signer solution.
What is a session?#
A session is created when a user signs in. By default, it lasts 1 hour and a user can have an unlimited number of active sessions.
A session is represented by the Openfort Auth access token in the form of a JWT, and a refresh token which is a unique string.
Access tokens are designed to be short lived while refresh tokens never expire but can only be used once. You can exchange a refresh token only once to get a new access and refresh token pair.
This process is called refreshing the session.
A session terminates, depending on configuration, when:
- The user clicks sign out.
- The user changes their password or performs a security sensitive action.
- It times out due to inactivity.
- It reaches its maximum lifetime.
- A user signs in on another device.
Access token format#
Openfort access tokens are JSON Web Tokens (JWT), signed with the ES256 algorithm. These JWTs include certain information about the user in its claims, namely:
sid
is the user’s current session IDsub
is the user’s player Idiss
is the token issuer, which should always be openfort.xyzaud
is your Openfort app IDiat
is the timestamp of when the JWT was issuedexp
is the timestamp of when the JWT will expire and is no longer valid. This is generally 1 hour after the JWT was issued.
Authorizing requests with the access token#
To include the current user's access token on requests to your backend, follow the instructions below. Make sure to follow the appropriate instructions if your app uses local storage.
_10const authToken = openfort.getAccessToken();_10_10const response = await fetch(<your-api-route>, {_10 method: <your-request-method>_10 body: <your-request-body>,_10 headers: {_10 'Authorization': `Bearer ${accessToken}`, _10 /* Add any other request headers you'd like */_10 }_10});
Visit our guide to verify tokens server-side to learn how to validate the access token on your backend.
Log out a user#
When your user logs out, call logout()
to remove them from the browser session and any objects from localStorage.
_10import Openfort from "@openfort/openfort-js";_10const openfort = new Openfort({_10 baseConfiguration: {_10 publishableKey: "YOUR_OPENFORT_PUBLISHABLE_KEY"_10 }_10});_10_10async function logout() {_10 await openfort.logout();_10}
Upon sign out, all refresh tokens and potentially other database objects related to the affected sessions are destroyed and the client library removes the session stored in the browser.
Access tokens of revoked sessions remain valid until their expiry time, encoded in the exp
claim. The user won't be immediately logged out and will only be logged out when the access token expires.