Globally unique UUID that identifies a specific Session in the Stytch API. The member_session_id is critical to perform operations on an Session, so be sure to preserve this value.
Session object
Fields
Globally unique UUID that identifies a specific Member. The member_id is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member.
The timestamp when the Session started.
The timestamp when the Session was last accessed. A session is considered accessed when it is authenticated with the Stytch API, local JWT authentication will not iterate this value.
The timestamp when the Session will expire. Once a session is expired, it is no longer valid and Stytch will return a 404 error if it is authenticated.
An array of different authentication factors that comprise a Session.
The type of authentication factor. The possible values are: email_otp, impersonated, imported, magic_link, oauth, otp, password, recovery_codes, sso, trusted_auth_token, or totp.
The method that was used to deliver the authentication factor. The possible values depend on the type: email_otp – Only email. impersonated – Only impersonation. imported – Only imported_auth0. magic_link – Only email. oauth – The delivery method is determined by the specific OAuth provider used. The possible values are oauth_google, oauth_microsoft, oauth_hubspot, oauth_slack, or oauth_github. In addition, you may see an 'exchange' delivery method when a non-email-verifying OAuth factor originally authenticated in one organization is exchanged for a factor in another organization. This can happen during authentication flows such as session exchange. The non-email-verifying OAuth providers are Hubspot, Slack, and Github. Google is also considered non-email-verifying when the HD claim is empty. The possible exchange values are oauth_exchange_google, oauth_exchange_hubspot, oauth_exchange_slack, or oauth_exchange_github. The final possible value is oauth_access_token_exchange, if this factor came from an access token exchange flow. otp – Only sms. password – Only knowledge. recovery_codes – Only recovery_code. sso – Either sso_saml or sso_oidc. trusted_auth_token – Only trusted_token_exchange. totp – Only authenticator_app.
The timestamp when the factor was initially authenticated.
The timestamp when the factor was last authenticated.
The timestamp when the factor was last updated.
Either PRIMARY or SECONDARY. Currently, secondary factor types include otp, totp, and recovery_codes. All other factors are primary.
Information about the email factor, if one is present.
The email address of the Member.
The globally unique UUID of the Member's email.
Information about the phone number factor, if one is present.
The phone number of the Member.
The globally unique UUID of the Member's phone number.
Information about the Google OAuth factor, if one is present.
The unique ID of an OAuth registration.
The globally unique UUID of the Member's email.
The unique identifier for the User within a given OAuth provider. Also commonly called the sub or "Subject field" in OAuth protocols.
Information about the Microsoft OAuth factor, if one is present.
The unique ID of an OAuth registration.
The globally unique UUID of the Member's email.
The unique identifier for the User within a given OAuth provider. Also commonly called the sub or "Subject field" in OAuth protocols.
Information about the Hubspot OAuth factor, if one is present.
The unique ID of an OAuth registration.
The globally unique UUID of the Member's email.
The unique identifier for the User within a given OAuth provider. Also commonly called the sub or "Subject field" in OAuth protocols.
Information about the Github OAuth factor, if one is present.
The unique ID of an OAuth registration.
The globally unique UUID of the Member's email.
The unique identifier for the User within a given OAuth provider. Also commonly called the sub or "Subject field" in OAuth protocols.
Information about the Slack OAuth factor, if one is present.
The unique ID of an OAuth registration.
The globally unique UUID of the Member's email.
The unique identifier for the User within a given OAuth provider. Also commonly called the sub or "Subject field" in OAuth protocols.
Information about the Hubspot OAuth Exchange factor, if one is present.
The globally unique UUID of the Member's email.
Information about the Github OAuth Exchange factor, if one is present.
The globally unique UUID of the Member's email.
Information about the Google OAuth Exchange factor, if one is present.
The globally unique UUID of the Member's email.
Information about the Slack OAuth Exchange factor, if one is present.
The globally unique UUID of the Member's email.
Information about the SAML SSO factor, if one is present.
The unique ID of an SSO Registration.
Globally unique UUID that identifies a specific SAML Connection.
The ID of the member given by the identity provider.
Information about the OIDC SSO factor, if one is present.
The unique ID of an SSO Registration.
Globally unique UUID that identifies a specific OIDC Connection.
The ID of the member given by the identity provider.
Information about the TOTP-backed Authenticator App factor, if one is present.
Globally unique UUID that identifies a TOTP instance.
Information about the impersonated factor, if one is present.
The email address of the impersonator.
For impersonated sessions initiated via the Stytch Dashboard, the impersonator_id will be the impersonator's Stytch Dashboard member_id.
Information about the trusted auth token factor, if one is present.
The ID of the trusted auth token.
Information about the access token exchange factor, if one is present.
The ID of the Connected App client.
A custom claims map for the Session being authenticated. Claims will be included on the Session object and in the JWT. iss, sub, aud, exp, nbf, iat, jti are reserved claims. Total custom claims size cannot exceed four kilobytes.
Globally unique UUID that identifies a specific Organization. The organization_id is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience.
The unique URL slug of the Organization. The slug only accepts alphanumeric characters and the following reserved characters: - . _ ~. Must be between 2 and 128 characters in length. Wherever an organization_id is expected in a path or request parameter, you may also use the organization_slug as a convenience.
A list of the Roles explicitly or implicitly assigned to this Member that are valid for this Member Session. This may differ from the Roles you see on the Member object - Roles that are implicitly assigned by SSO connection or SSO group will only be valid for a Member Session if there is at least one authentication factor on the Member Session from the specified SSO connection.
{
"member_session": {
"member_session_id": "session-test-fe6c042b-6286-479f-8a4f-b046a6c46509",
"member_id": "member-test-32fc5024-9c09-4da3-bd2e-c9ce4da9375f",
"started_at": "2023-01-09T07:41:52Z",
"last_accessed_at": "2023-01-09T07:41:52Z",
"expires_at": "2021-08-10T07:41:52Z",
"authentication_factors": [
{
"delivery_method": "email",
"email_factor": {
"email_address": "sandbox@stytch.com",
"email_id": "email-test-81bf03a8-86e1-4d95-bd44-bb3495224953"
},
"last_authenticated_at": "2023-01-09T07:41:52Z",
"created_at": "2023-01-09T07:41:52Z",
"updated_at": "2023-01-09T07:41:52Z",
"sequence_order": "PRIMARY",
"type": "magic_link"
}
],
"custom_claims": {
"claim1": "value1",
"claim2": "value2"
},
"organization_id": "organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931",
"organization_slug": "example-org",
"roles": ["stytch_member", "editor"]
}
}