Help Center
Go to Console
Need help with Next Identity? Start here.
In this article
What It IsWhy It MattersHow It WorksSession StartSession UsageSession LifetimeSession ScopeUse CasesBest Practices
Home
Developer Experience
Tokens & Sessions

Understanding Sessions in Next Identity Hosted Journeys

Edited

This document provides an overview of working with sessions in Next Identity Hosted Journeys.

What It Is

In Next Identity Hosted Journeys, a session is a temporary, browser-based record of a user's authenticated state. After a user successfully signs in, a session begins. This session allows the system to recognize the user for subsequent interactions without requiring them to re-enter credentials—improving both security and user experience.

Why It Matters

Sessions play a critical role in:

  • Reducing login friction by maintaining the user's authenticated state

  • Enabling single sign-on (SSO) across multiple applications

  • Protecting sensitive actions by requiring re-authentication when needed

  • Supporting secure and consistent user journeys

A clear understanding of session behavior ensures that your applications deliver a secure, seamless experience to users.

How It Works

Session Start

A session begins when a user completes authentication using a the Next Identity Hosted Journeys /authorize endpoint. This session is stored in the user's browser.

Session Usage

If an application uses the /authorize endpoint from the same browser:

  • And the session is still valid, an authorization code is returned automatically

  • The user does not need to sign in again

This allows applications to reuse existing sessions for smoother workflows.

Session Lifetime

  • Default session duration is 14 days

  • The session remains active unless:

    • The user signs out

    • The browser session is cleared

    • The session is explicitly invalidated by the application

Security Note:
Even during an active session, users must re-enter their password or other authentication method when updating their password or security questions.

Session Scope

Sessions are browser-based and limited to the context of that browser. A session in one browser or device is not shared with others.

Use Cases

  • Seamless return visits: Users who revisit an application within the session window won’t be prompted to sign in again.

  • Multi-step processes: Long-running workflows can continue without repeated sign-ins.

Best Practices

  • Always protect sensitive actions by requiring authentication.

  • Inform users when sessions are about to expire, especially during longer workflows.

  • Allow users to sign out fully, clearing all sessions across applications when necessary.

  • Use short session durations for high-risk environments or public devices.

Was this article helpful?

Sorry about that! Care to tell us more?

Thanks for the feedback!

There was an issue submitting your feedback
Please check your connection and try again.
Next IdentityPlatform StatusNext Identity Console