Sessions

After a user authenticates, Forte issues a session token that your application uses to authenticate subsequent API requests.

Using Session Tokens

You can authenticate requests in two ways:

• Cookie: The Forte-User-Session-Token cookie is set automatically on authentication responses
• Bearer Token: Include the session token in the Authorization header as Bearer {sessionToken}

If you provide both, they must be identical to avoid a mismatched token error.

Forte session tokens are cryptographically signed and cannot be decoded or inspected. They are opaque strings that can only be validated or invalidated by Forte.

Token Lifetime

• Session tokens default to 365 days expiration
• Tokens can be renewed with a configurable duration
• Tokens can be explicitly invalidated by calling the logout endpoint

Renewal

Session tokens can be renewed before they expire. When you renew a token, Forte issues a new token with a fresh expiration time. The default renewal duration is 1 year, but this can be customized per request.

const result = await forte.users.renewSessionToken({
  projectId,
  authorization: `Bearer ${currentSessionToken}`,
  renewalDurationSeconds: 2592000, // 30 days (optional, defaults to 1 year)
});
 
// result.sessionToken — the new token
// result.expirationTime — new expiry

Logout

Calling the logout endpoint invalidates the current session token immediately. The token can no longer be used to authenticate requests after logout.

await forte.users.logout({
  projectId,
  authorization: `Bearer ${sessionToken}`,
});

Next Steps

• Learn about Contact Methods and how verification works
• Set up Authentication methods for your users
• Manage users with Administration tools