> ## Documentation Index
> Fetch the complete documentation index at: https://stytch.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.
# Start of a session
> The session lifecycle through authentication to a full session.
## Overview
A Member Session begins after an end user meets the primary and secondary factor authentication requirements of an Organization.
In cases where an authentication call does not satisfy the Organization's requirements, an intermediate session is returned. This will be exchanged for a full session after the authentication flow is completed:
Begins if an end user has started a primary factor authentication, but isn't fully authenticated into an organization yet.
Begins once an end user has completed all required authentication factors for an organization.
***
## Intermediate session
An intermediate session begins when an `intermediate_session_token` is returned after a primary factor `authenticate()` call or a discovery authentication call.
It represents a temporary authentication session state of a user that hasn't been fully authenticated into an organization yet.
### Attributes
* **No organizational context**
Intermediate sessions aren't associated with any organization. A user must meet all primary and secondary authentication factors for an organization for the token to be successfully exchanged for a full Member Session with an organization.
* **Fixed intermediate session duration**
Intermediate session tokens are valid for **10 minutes**. If the token is not exchanged for a Member Session before expiration, the end user must restart the authentication process.
* **Using intermediate sessions**
Intermediate sessions are used during an authentication flow to facilitate step-up primary authentication, multi-factor authentication (MFA), and the Discovery login experience.
### Additional resources
***
## Full member session
A full member session is initiated after a successful authentication call that satisfies all of an Organization's authentication requirements.
This could be directly from an `authenticate()` call (e.g. [magic links](/api-reference/b2b/api/email-magic-links/organization/authenticate-magic-link)) for an org-specific login, from an [intermediate session token exchange](/api-reference/b2b/api/discovery/exchange-intermediate-session) after a Discovery flow, or from a secondary factor authentication call (e.g. [SMS OTP](/api-reference/b2b/api/mfa/otp/authenticate-sms-otp)) for an organization that requires MFA.
These methods generate a newly minted [Member Session object](/api-reference/b2b/api/sessions/session-object) in the response, containing useful attributes about the member's logged in state that can be stored as part of your application logic.
```json Response 200 expandable theme={null}
{
"request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
"status_code": 200,
"member_id": "member-test-32fc5024-9c09-4da3-bd2e-c9ce4da9375f",
"session_token": "mZAYn5aLEqKUlZ_Ad9U_fWr38GaAQ1oFAhT8ds245v7Q",
"session_jwt": "eyJ...",
"intermediate_session_token": "",
"member_authenticated": true,
"mfa_required": null,
"primary_required", null,
"member_session": {...},
"member": {...},
"organization": {...}
}
```
```json Object 200 expandable theme={null}
{
"member_session": {
"member_session_id": "session-test-fe6c042b-6286-479f-8a4f-b046a6c46509",
"member_id": "member-test-32fc5024-9c09-4da3-bd2e-c9ce4da9375f",
"started_at": "2023-01-09T07:41:52Z",
"last_accessed_at": "2023-01-09T07:41:52Z",
"expires_at": "2021-08-10T07:41:52Z",
"authentication_factors": [
{
"delivery_method": "email",
"email_factor": {
"email_address": "sandbox@stytch.com",
"email_id": "email-test-81bf03a8-86e1-4d95-bd44-bb3495224953"
},
"last_authenticated_at": "2023-01-09T07:41:52Z",
"created_at": "2023-01-09T07:41:52Z",
"updated_at": "2023-01-09T07:41:52Z",
"sequence_order": "PRIMARY",
"type": "magic_link"
}
],
"custom_claims": {
"claim1": "value1",
"claim2": "value2"
},
"organization_id": "organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931",
"roles": ["stytch_member", "editor"]
}
}
```
### Attributes
* **Associated to organizations**
A full session is **always** associated with a specific `organization_id`.
* **Configurable session duration**
The default duration of a session is 60 minutes, which can be configured in the call initiating a session via `session_duration_minutes`.
* **Identifying and using sessions**
Sessions are identified by a `session_token` and `session_jwt`, which are used to authenticate and authorize requests between your client and server.
### Additional resources
***
## Intermediate to full session lifecycle example
This illustrates an org-specific login sequence where the organization requires a secondary authentication factor (MFA):
```mermaid theme={null}
sequenceDiagram
participant U as User / Browser
participant A as Your app
participant S as Stytch
U->>S: Completes primary factor authentication
Note over U,S: Intermediate session begins
S-->>A: Returns intermediate_session_token (IST)
A->>U: Prompts for a MFA passcode
U->>A: Inputs code
A->>S: authenticate() - includes the IST
Note over U,S: Intermediate session exchanged for a full session
S-->>A: Member & Session info,
session_token, and session_jwt
A-->>U: Session stored in cookies
```