Authenticates a Session and updates its lifetime by the specified session_duration_minutes. If the session_duration_minutes is not specified, a Session will not be extended. This endpoint requires either a session_jwt or session_token be included in the request. It will return an error if both are present.

You may provide a JWT that needs to be refreshed and is expired according to its exp claim. A new JWT will be returned if both the signature and the underlying Session are still valid. See our How to use Stytch Session JWTs guide for more information.

If an authorization_check object is passed in, this method will also check if the Member is authorized to perform the given action on the given Resource in the specified Organization. A Member is authorized if their Member Session contains a Role, assigned explicitly or implicitly, with adequate permissions. In addition, the organization_id passed in the authorization check must match the Member's Organization.

If the Member is not authorized to perform the specified action on the specified Resource, or if the organization_id does not match the Member's Organization, a 403 error will be thrown. Otherwise, the response will contain a list of Roles that satisfied the authorization check.