Session Lifecycle

An Auth0 session lifecycle begins when a user logs in, remains active with user interaction, and ends when the session expires or is explicitly terminated. Auth0 considers a session active when a user interacts with the Authorization server. For example:

Calls to the /authorize endpoint
Issue silent authentication
Log in to a new application using single sign on

A session can be persistent or non-persistent; this allows you to configure how a session cookie behaves in a browser.

Persistent sessions store cookies with a future expiration timestamp.
Non-persistent sessions store cookies with Expires=0. It tells the browser to delete the cookie when the browser is closed.

Session cookie persistence behavior depends on the browser implementation. Auth0 cannot guarantee that all browsers will delete non-persistent cookies as expected. To learn more read Cookies.

Session lifetime

Persistent and non-persistent sessions can be configured with their own Idle and Absolute (Maximum) lifetimes to define a session expiration.

Idle timeout

Idle timeout defines the maximum duration of inactivity allowed. Each time a user interacts with Auth0 via Single Sign-On (SSO), silent authentication or /authorize, the idle timer resets. If no interaction with Auth0 happens during the configured period, the session expires.

Absolute timeout (Maximum)

Absolute timeout defines the maximum duration a session can remain valid regardless of user activity. Once absolute timeout is reached, the session expires and the user will need to reauthenticate. Learn how to Configure Session Lifetime.

Session lifetime limits

Session lifetime has the following limits:

Session type	Timeout type	Description	Maximum (Self-Service plans)	Maximum (Enterprise Plans)
Non-persistent	Inactivity timeout	Timeframe after which a session expires if there’s no interaction with the Authorization Server	3 days	100 days
	Require Login after	Maximum session lifetime, regardless of activity	30 days	365 days
Persistent	Inactivity timeout	Timeframe after which a session expires if there’s no interaction with the Authorization Server	3 days	100 days
	Require Login after	Maximum session lifetime, regardless of activity	30 days	365 days

Next steps

To learn more about using Actions to configure the session lifecycle, read Sessions with Actions.
To learn more about Auth0 Management API Session Management Endpoints, read Sessions with Management API.

Manage Users

Manage Access

Session Lifecycle

Session lifetime

Idle timeout

Absolute timeout (Maximum)

Session lifetime limits

Next steps

Manage Users

Manage Access

​Session lifetime

​Idle timeout

​Absolute timeout (Maximum)

​Session lifetime limits

​Next steps

Session lifetime

Idle timeout

Absolute timeout (Maximum)

Session lifetime limits

Next steps