Authdog

Sessions

Last updated Jul 17, 2026
View as Markdown

The Sessions page lets you configure how JSON Web Tokens (JWTs) are issued for the current environment. You can manage signing keys, adjust token lifetime and clock skew, and preview the claims structure — all from Security > Sessions (/dashboard/security?tab=sessions).

Signing keys

Signing keys are the JSON Web Keys (JWKs) used to sign access tokens for your environment. The page displays three stats cards summarizing key status:

Card Icon Description
Total Keys Key (blue) The total number of signing keys created in this environment.
Keys Used Today CheckCircle2 (green) The number of keys currently active and used to sign new tokens.
Revoked Keys Ban (red) The number of keys that are no longer active.

Below the stats cards, a table lists all signing keys with the following columns:

Column Details
Key ID The first segment of the key UUID, rendered in monospace text.
Type Key type (kty) — e.g. RSA or OKP.
Use Key usage — always sig (signature).
Algorithm The signing algorithm (e.g. RS256, Ed25519), shown as an outlined badge.
Status A badge indicating the key state: "In use" (green), "Inactive" (neutral), or "Revoked" (red).
Dates Created, updated, and revoked timestamps.
Actions Inline action buttons (only shown for inactive keys).

Create a signing key

Click "New JSON Web Key" in the card header to open the creation dialog. Select the desired algorithm from the dropdown (default: RS256) and click "Save Key". The new key is created in an Inactive state.

Activate a key

Click "Use Key" on an inactive key row. Only active keys are used to sign new tokens. You can have multiple active keys to support key rotation.

Revoke a key

Click "Revoke" (destructive style) on an inactive key row. Revoked keys remain listed for auditing but are never used to sign new tokens. Tokens previously signed with a revoked key can still be verified using the public key from the JWKS endpoint until they expire.

Caution

Revoking a key is permanent. Once revoked, a key cannot be reactivated. Ensure you have at least one active key before revoking others.

JWT settings

The JWT Settings section controls how tokens are issued for the current environment. Two range sliders let you configure:

Setting Range Default Description
Token Lifetime 0–100,000 seconds 3,600 seconds (1 hour) How long an access token remains valid after it is issued.
Allowed Clock Skew 0–600 seconds 60 seconds The tolerance window for clock differences between the issuer and the verifier. Helps avoid token rejection due to minor time drift.

The current value in seconds is displayed below each slider. Adjust the sliders and click "Save Settings" to apply changes. The button is disabled until you change a value. The new settings take effect for all tokens issued after saving.

Tip

A token lifetime of 3,600 seconds (1 hour) is a reasonable default for most applications. Reduce it for high-security environments or increase it for long-lived sessions.

Claims preview

The claims preview panel shows a live JSON representation of the JWT payload structure for the current environment. It is displayed in a dark-themed code block alongside the JWT settings form. The preview dynamically reflects the current token lifetime value as you adjust the slider.

{
  "root": {
    "iss": "https://id.authdog.com",
    "iat": "{{ ISSUED_TIME }}",
    "exp": "{{ ISSUED_TIME + tokenLifetime }}",
    "groups": "{{user.groups}}",
    "sub": "{{user.externalId}}:{{user.environmentId}}"
  }
}

Use this preview to verify the shape and expiry of tokens your application will receive before saving changes.

Supported algorithms

Algorithm Key Type Description
RS256 RSA RSASSA-PKCS1-v1_5 using SHA-256
RS384 RSA RSASSA-PKCS1-v1_5 using SHA-384
RS512 RSA RSASSA-PKCS1-v1_5 using SHA-512
PS256 RSA RSASSA-PSS using SHA-256
PS384 RSA RSASSA-PSS using SHA-384
PS512 RSA RSASSA-PSS using SHA-512
Ed25519 OKP Edwards-curve Digital Signature Algorithm
Read To learn how to
Environments Manage deployment environments that scope session configuration
Sessions & tokens How issued sessions are validated in your app
Projects Select a project before configuring sessions

Learn more