Session Security & Management

Understanding how Flowsta manages your authentication sessions and keeps your account secure.

Session Duration

7-Day Session Timeout

Your Flowsta session remains active for 7 days from your last login. After 7 days of inactivity, you'll need to log in again.

Why 7 days?

• Security: Limits exposure if someone gains access to your device
• Convenience: Long enough that you won't need to re-authenticate frequently
• Industry Standard: Aligns with common security practices

What Happens When Sessions Expire

When your session expires:

1. ✅ Automatic Logout: You're logged out automatically to protect your account
2. 📬 Friendly Message: You'll see a clear explanation that your session expired
3. 🔄 Easy Return: After logging back in, you'll return to the page you were viewing

Example:

Session Expired

Your session has expired after 7 days of inactivity. 
Please log in again to continue.

[Log In]

Session Types

Website Sessions (OAuth/SSO)

When you log in to a Flowsta partner site using "Login with Flowsta":

• Duration: 7 days per site
• Independent: Each site has its own session
• Seamless: Once logged into Flowsta, other sites recognize you instantly
• Secure: Sessions stored in HTTP-only cookies (protected from JavaScript access)

Direct Login Sessions

When you log in directly to your Flowsta dashboard:

• Duration: 7 days
• Persistent: Remains active across browser tabs
• Secure: JWT tokens with cryptographic signatures

Keeping Your Session Active

Stay Logged In

Your session is automatically extended when you're actively using the site:

• ✅ Any page visit refreshes your session
• ✅ API requests keep your session alive
• ✅ Background activity (if the app is open) maintains your session

Sessions Don't Extend Indefinitely

For security, sessions have a maximum lifetime:

• 🔐 Primary session: 7 days maximum
• 🔄 Refresh tokens: 30 days maximum

After these limits, you must log in again even if you've been active.

Multiple Devices

You can be logged in on multiple devices simultaneously:

✓ Desktop Computer (Session 1)
✓ Laptop (Session 2)  
✓ Mobile Phone (Session 3)

Each device has its own independent 7-day session.

Session Security Features

Automatic Protections

Flowsta includes several security measures to protect your sessions:

Protection	Description
HTTP-Only Cookies	Session tokens can't be accessed by malicious JavaScript
Secure Flag	Cookies only transmitted over HTTPS (encrypted connections)
SameSite Protection	Prevents cross-site request forgery (CSRF) attacks
Token Expiration	Limits damage window if a token is compromised
Logout on All Devices	One-click option to end all sessions everywhere

What We Protect Against

• ✅ XSS Attacks: HTTP-only cookies prevent JavaScript access
• ✅ CSRF Attacks: SameSite cookies block cross-site requests
• ✅ Token Theft: Short-lived tokens limit exposure window
• ✅ Replay Attacks: Tokens can't be reused after expiration

Managing Your Sessions

View Active Sessions

See all devices where you're currently logged in:

1. Go to Dashboard → Settings → Security
2. View list of active sessions:

   Desktop - Chrome (Last active: 2 minutes ago)
   iPhone - Safari (Last active: 1 hour ago)

End Specific Sessions

Log out of individual devices:

1. Find the session in your Active Sessions list
2. Click Revoke next to that session
3. That device will be logged out immediately

Log Out Everywhere

End all sessions at once:

1. Go to Dashboard → Settings → Security
2. Click Log Out on All Devices
3. You'll be logged out everywhere except your current device

When to use this:

• Lost your device
• Suspect unauthorized access
• Changed your password
• Public/shared computer access

Session Best Practices

For Users

1. Log Out on Shared Computers

   Public library? Internet café? Friend's laptop?
   → Always log out when done

2. Review Active Sessions Regularly

   Weekly check:
   - Any unfamiliar devices?
   - Old sessions from devices you no longer use?
   → Revoke them

3. Enable Recovery Phrase

   If you lose access to all devices:
   → Recovery phrase lets you regain access

4. Use Strong, Unique Passwords

   Protect your account from unauthorized login attempts

For Developers

If you're building an app that uses Flowsta authentication:

1. Handle Expired Sessions Gracefully

   • Detect 401 responses
   • Show friendly "Session Expired" message
   • Redirect to login with return URL

2. Implement Token Refresh

   • Check token expiration before requests
   • Refresh proactively (before expiration)
   • Handle refresh failures gracefully

3. Store Tokens Securely

   • Use HTTP-only cookies (best)
   • Or sessionStorage (good)
   • Never localStorage for auth tokens

See the SDK Documentation for implementation details.

FAQ

Why do I get logged out after 7 days?

Security. Short-lived sessions reduce the risk if someone gains access to your device or if a session token is compromised.

Can I stay logged in longer?

The 7-day limit is a security measure and cannot be extended. However, you can use refresh tokens (developers) to seamlessly extend sessions up to 30 days.

I was logged out before 7 days. Why?

Possible reasons:

• You manually logged out
• You used "Log Out on All Devices"
• Browser cleared cookies/storage
• Security measure triggered (suspicious activity)
• Server maintenance (rare)

What if I lose access to my session?

Just log in again with your email and password. If you've forgotten your password, use your recovery phrase to regain access.

Are my sessions encrypted?

Yes. Sessions use:

• JWT tokens with cryptographic signatures
• HTTPS encryption in transit
• HTTP-only cookies (can't be accessed by JavaScript)

Can someone steal my session?

While no system is 100% secure, Flowsta uses industry-standard protections:

• Short-lived tokens (7 days max)
• Secure, HTTP-only cookies
• HTTPS-only transmission
• Token rotation on refresh

Best protection: Use strong passwords and enable two-factor authentication (coming soon).

Privacy & Data

What Data is Stored

Your session contains:

• User ID
• Email address (hashed)
• Holochain agent public key
• Expiration timestamp

Not stored:

• Your password
• Private user data
• Browsing history

Zero-Knowledge Architecture

Flowsta uses zero-knowledge storage for your private data:

Your Password
    ↓
Derives Encryption Key
    ↓
Encrypts Your Private Data
    ↓
Stored on Holochain (Encrypted)
    ↓
Flowsta Staff Cannot Decrypt ✓

Even if someone gains access to a session token, they cannot access your:

• Password
• Recovery phrase
• Encrypted private data

They can only access what that session is authorized to access.

Technical Details

For developers implementing Flowsta authentication:

JWT Structure

{
  "id": "user_abc123",
  "userId": "user_abc123",
  "email": "user@example.com",
  "agentPubKey": "uhCAk...",
  "iat": 1698765432,
  "exp": 1699370232,
  "iss": "flowsta-auth",
  "aud": "flowsta-sites"
}

Token Claims

Claim	Description
id / userId	Unique user identifier
email	User's email address
agentPubKey	Holochain identity (public key)
iat	Issued at (timestamp)
exp	Expires at (timestamp, +7 days)
iss	Issuer (flowsta-auth)
aud	Audience (flowsta-sites)

Session Cookie

Set-Cookie: flowsta_session=eyJhbGc...;
  HttpOnly;
  Secure;
  SameSite=Lax;
  Max-Age=604800;
  Domain=.flowsta.com

See the API Reference for complete technical documentation.

Related Documentation

• Getting Started Guide
• OAuth Integration
• API Reference
• SDK Documentation

Need Help?

Have questions about session security?

• 💬 Discord: Join our community
• 🆘 Support: Find out about Flowsta support options
• 🐙 GitHub: github.com/WeAreFlowsta

---

Last Updated: November 2025
Applies to: Flowsta Auth v1.6+