Session Lifecycle

An Auth0 session lifecycle begins when a user logs in, remains active with user interaction, and ends when the session expires or is explicitly terminated.

Auth0 considers a session active when a user interacts with the Authorization server.

For example:

A session can be persistent or non-persistent; this allows you to configure how a session cookie behaves in a browser.

  • Persistent sessions store cookies with a future expiration timestamp.

  • Non-persistent sessions store cookies with Expires=0. It tells the browser to delete the cookie when the browser is closed.

Session lifetime

Persistent and non-persistent sessions can be configured with their own Idle and Absolute (Maximum) lifetimes to define a session expiration.

Idle timeout

Idle timeout defines the maximum duration of inactivity allowed. Each time a user interacts with Auth0 via Single Sign-On (SSO), silent authentication or /authorize, the idle timer resets. If no interaction with Auth0 happens during the configured period, the session expires.

Absolute timeout (Maximum)

Absolute timeout defines the maximum duration a session can remain valid regardless of user activity. Once absolute timeout is reached, the session expires and the user will need to reauthenticate.

Learn how to Configure Session Lifetime.

Session lifetime limits

Session lifetime has the following limits:

Session type Timeout type Description Maximum (Self-Service plans) Maximum (Enterprise Plans)
Non-persistent Inactivity timeout Timeframe after which a session expires if there’s no interaction with the Authorization Server 3 days 100 days
Require Login after Maximum session lifetime, regardless of activity 30 days 365 days
Persistent Inactivity timeout Timeframe after which a session expires if there’s no interaction with the Authorization Server 3 days 100 days
Require Login after Maximum session lifetime, regardless of activity 30 days 365 days

Next Steps

  • To learn more about using Actions to configure the session lifecycle, read Sessions with Actions

  • To learn more about Auth0 Management API Session Management Endpoints, read Sessions with Management API