Using Stytch's session layer

What is a session?
Session represented by tokens
Session management
Session lifecycle

Start of a session

When a user session starts.

What is a session?

A session is a unique identifier for a user’s authenticated state within your application. It ties together the user’s identity, authentication factors, and session metadata. Once a user successfully authenticates, Stytch mints a Session object for the user—represented by two tokens:

Session represented by tokens

User Session object

Represents an authenticated session for a specific user.

session_token

An opaque token that’s verified via API call.

session_jwt

A signed token that can be locally verified.

Session tokens should be stored client-side (usually a browser cookie) and authenticated on each request.

Session management

Stytch’s SDKs provide a session management layer that abstracts token rotation, session validation, and more:

Check for an active session

Control your application behavior based on whether a user has an active session.

Authenticate a session

Validate session tokens or JWTs before any action that requires authorization.

Hydrate a session

Hydrate the frontend session state from the backend.

Add custom claims

Encode additional information into your session JWTs using custom claims.

Cookies and sessions

Options for cookie configuration and HttpOnly cookies.

Session lifecycle

Extend sessions & session expiration

Session duration and extending the lifetime of a session.

Revoke sessions

Immediately invalidate the session token, effectively logging the user out.

⌘I