Configure Session Lifetime
To configure a session lifetime, you can use the Auth0 Dashboard, Management API, or a Post-Login Action.
Auth0 Dashboard
To configure the session lifetime using Auth0 Dashboard:
Navigate to Dashboard > Tenant Settings and select the Advanced view.
Under Session Expiration, you can configure:
| Session Policy | Description |
|---|---|
| Idle Session Lifetime (Persistent) | Maximum time (in minutes) of inactivity before a persistent session expires. |
| Idle Session Lifetime (Non-Persistent) | Maximum time (in minutes) of inactivity before a non-persistent session expires. |
| Maximum Session Lifetime (Persistent) | Maximum time (in minutes) a persistent session can exist, even if the user is active. |
| Maximum Session Lifetime (Non-Persistent) | Maximum time (in minutes) a non persistent session can exist, even if the user is active. |
Auth0 Management API
To configure the session lifetime using the Auth0 Management API:
Calls to the /api/v2/tenants/settings endpoint require a Management API access token with the update:tenant_settings scope.
Make a PATCH request to the /api/v2/tenants/settings endpoint:
curl --request PATCH \
--url 'https://<your-domain>/api/v2/tenants/settings' \
--header 'Authorization: Bearer MGMT_API_ACCESS_TOKEN' \
--header 'Content-Type: application/json' \
--data '{
"session_lifetime": SESSION_LIFETIME_VALUE,
"idle_session_lifetime": IDLE_SESSION_LIFETIME_VALUE,
"ephemeral_session_lifetime": EPHEMERAL_SESSION_LIFETIME_VALUE,
"idle_ephemeral_session_lifetime": EPHEMERAL_IDLE_SESSION_LIFETIME_VALUE
}'Was this helpful?
| Parameter | Description |
|---|---|
session_lifetime |
Maximum duration (in hours) for absolute timeout. |
idle_session_lifetime |
Maximum duration (in hours) before a session expires due to inactivity. |
ephemeral_session_lifetime |
Maximum duration (in hours) for absolute timeout. |
idle_ephemeral_session_lifetime |
Maximum duration (in hours) before a session expires due to inactivity. |
Auth0 Post-Login Actions
You can configure session behavior dynamically using api.session methods with a post-login Action. This allows you to override default tenant session settings on a per-login basis, based on user or context-specific logic.
Use cases include:
Shortening timeouts for high-risk logins
Extending timeouts for trusted users or organizations
Adjusting cookie persistence based on application type
The api.session methods available to configure session lifetimes are:
api.session.setExpiresAtapi.session.setIdleExpiresAtapi.session.setCookieMode
The api.session methods only apply to the current session and must be called during the login transaction. These methods require that the event property event.session.id is available.
To learn more, read Sessions with Actions.