> ## Documentation Index
> Fetch the complete documentation index at: https://auth0.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Native to Web SSO Best Practices

> Learn about Native to Web SSO best practices

<Warning>
  Native to Web SSO is currently available in Early Access. To use this feature, you must have an Enterprise plan. By using this feature, you agree to the applicable Free Trial terms in Okta’s [Master Subscription Agreement](https://www.okta.com/legal/?_gl=1*agihqh*_gcl_au*NjM2NjA1MDg4LjE3NTM5ODE4NjY.*_ga*MTgyNDA4MjM2Ny4xNzE1MTAyMjQy*_ga_QKMSDV5369*czE3NTQ0NzQ3NTAkbzM1MyRnMSR0MTc1NDQ3NjU5MCRqNiRsMCRoMA..). To learn more about Auth0's product release cycle, review Product Release Stages.
</Warning>

For best results when implementing Native to Web <Tooltip data-tooltip-id="react-containers-DefinitionTooltip-0" href="/docs/ja-jp/glossary?term=single-sign-on" tip="シングルサインオン（SSO）: ユーザーが1つのアプリケーションにログインした後、そのユーザーを他のアプリケーションに自動的にログインさせるサービス。" cta="用語集の表示">SSO</Tooltip>, Auth0 recommends adhering to the best practices compiled below. These guidelines can help ensure session integrity:

## Use Post Login Actions to limit session lifetime

Use [`post-login`](/docs/ja-jp/customize/actions/explore-triggers/signup-and-login-triggers/login-trigger) Action triggers to ensure web sessions created through Native to Web SSO are time-boxed appropriately and expire quickly when inactive. 
You can use `post-login` Actions to detect when a session is initiated through a `session_transfer_token` and apply shorter idle and absolute timeouts:

```swift lines theme={null}
exports.onExecutePostLogin = async (event, api) => {
  if (event.session_transfer_token) {
    const now = Date.now();

    // Limit the session to 30 minutes total
    api.session.setExpiresAt(now + 30 * 60 * 1000);

    // Set idle timeout to 15 minutes
    api.session.setIdleExpiresAt(now + 15 * 60 * 1000);
  }
};
```

## Bind session\_transfer\_token to the device or IP address

To reduce the risk of token replay if a token is leaked, logged, or intercepted, always bind the [`session_transfer_token`](https://auth0.com/docs/api/management/v2/clients/patch-clients-by-id)to the origin environment using `enforce_device_binding`.

## Use secure cookies over query parameters

Send the `session_transfer_token` to the web application using a secure, HTTPOnly cookie scoped to your Auth0 domain to prevent accidental logging or sharing of the token via URLs and to reduce the attack surface for token interception. If you need to use a query parameter (for example, for Chrome Custom Tabs) ensure that the URL uses HTTPS and remove the token from the URL after use.

## Avoid issuing refresh tokens to web apps unless necessary

Only enable [`allow_refresh_token`](https://auth0.com/docs/api/management/v2/clients/patch-clients-by-id) for web applications that truly need long-lived tokens. In most cases, short-lived <Tooltip data-tooltip-id="react-containers-DefinitionTooltip-1" href="/docs/ja-jp/glossary?term=access-token" tip="アクセストークン: APIへのアクセスに使用される、不透明な文字列またはJWT形式の認可資格情報。" cta="用語集の表示">access tokens</Tooltip> combined with silent authentication are sufficient and safer in browser contexts.

## Enable Allow Refresh Tokens when appropriate to set the refresh tokens as “online”

To avoid orphaned credentials and prevent <Tooltip data-tooltip-id="react-containers-DefinitionTooltip-1" href="/docs/ja-jp/glossary?term=refresh-token" tip="リフレッシュトークン: ユーザーに再度ログインを強いることなく、更新されたアクセストークンを取得するために使用されるトークン。" cta="用語集の表示">refresh tokens</Tooltip> from lingering after logout, use the [`allow_refresh_token`](https://auth0.com/docs/api/management/v2/clients/patch-clients-by-id) setting to ensure refresh tokens issued via Native to Web SSO are bound to the session that issued them. If the session is revoked or expires, the refresh token is automatically invalidated.

## Enable enforce cascade revocation

To ensure that all web sessions and refresh tokens associated with a `session_transfer_token` are revoked, enable [`enforce_cascade_revocation`](https://auth0.com/docs/api/management/v2/clients/patch-clients-by-id) in the native application. This is critical to ensure secure session invalidation across applications.
