LogoLogo
  • Welcome to OneAuxilia Docx
  • UI Component
    • Overview
    • <OneAuxiliaProvider>
    • Authentication Components
      • <SignIn />
      • <SignUp />
      • <GoogleOneTap />
    • User Components
      • <UserButton />
      • <UserProfile />
    • Organization Components
      • <CreateOrganization />
      • <OrganizationProfile />
      • <OrganizationSwitcher />
      • <OrganizationList />
    • Control Components
      • <AuthenticateWithRedirectCallback />
      • <OneAuxiliaLoaded>
      • <OneAuxiliaLoading>
      • <Protect>
      • <MultisessionAppSupport>
      • <RedirectToSignIn />
      • <RedirectToSignUp />
      • <RedirectToUserProfile />
      • <RedirectToOrganizationProfile />
      • <RedirectToCreateOrganization />
      • <SignedIn>
      • <SignedOut>
    • Unstyled Components
      • <SignInButton>
      • <SignInWithMetamaskButton>
      • <SignUpButton>
      • <SignOutButton>
  • Quick Start
  • Users
    • Overview
    • Metadata
    • Delete User
  • Organization
    • Organization, Role and Permission
      • Overview
      • Role and Permission
      • Guides
        • Create Role and assign Permission
        • Verify the active user's permission
        • Reassign the Creator role
      • Building custom flow
    • Multi Tenant Setting
  • Application
    • Application
    • User Portal
  • Authentication
    • Setting
    • Social Connectors
    • Multi Factor
  • Customize
    • Branding
    • Sign Up vs Sign In
      • Overview
      • Configuration
        • Sign-up and Sign-in options
        • Session Option
        • Email and SMS templates
      • Social Connection
        • Overview
        • Social connections (OAuth)
        • Account Linking
        • Setup Social Account Linking
  • Development
    • API Key
    • Local Path
    • Custom JWT templates
    • Domain
    • Webhook
    • Backend Request
      • Overview
      • Making requests
        • Same-origin requests
        • Cross-origin requests
        • Customize your session token
      • Handling requests
        • Manual JWT verification
      • Session Management
  • SDK References
    • React
      • Overview
      • Guides
        • Add React Router
      • Client-side Helpers
        • useUser()
        • useOneAuxilia()
        • useAuth()
        • useSignIn()
        • useSignUp()
        • useSession()
        • useSessionList()
        • useOrganization()
        • useOrganizationList()
  • API References
    • Open API
  • industry reference
    • Ecommerce
    • Broadcasting
    • IoT
Powered by GitBook
On this page
  • Default session claims
  • Validate session tokens
  1. Development
  2. Backend Request

Session Management

PreviousManual JWT verificationNextReact

Last updated 10 months ago

When a user is authenticated in your application, OneAuxilia generates a short-lived session token that you can use to authenticate requests to your backend. This token is a JSON Web Token (JWT) that contains information about the user and their session.

Default session claims

Every generated token has default claims that cannot be overridden by templates. OneAuxilia's default claims include:

  • azp: authorized party - the Origin header that was included in the original Frontend API request made from the user. Most commonly, it will be the URL of the application. For example: https://example.com. This claim could be omitted if, for privacy-related reasons, Origin is empty or null.

  • exp: expiration time - the time after which the token will expire, as a Unix timestamp. Determined using the Token lifetime JWT template setting in the OneAuxilia Dashboard. See for more information.

  • iat: issued at - the time at which the token was issued as a Unix timestamp. For example: 1516239022. See for more information.

  • iss: issuer - the Frontend API URL of your instance. For example: https://oneauxilia.your-site.com for a production instance or https://your-site.oneauxilia.io for a development instance. See for more information.

  • nbf: not before - the time before which the token is considered invalid, as a Unix timestamp. Determined using the Allowed Clock Skew JWT template setting in the OneAuxilia Dashboard. See for more information.

  • sid: session ID - the ID of the current session (e.g. sess_123).

  • sub: subject - the ID of the current user of the session (e.g. user_123). See for more information.

  • act: actor - will only be included if the user is impersonating another user. See for more information.

The following claims are only included if the user is part of an organization:

  • org_id: organization ID - the ID of the active organization that the user belongs to.

  • org_permissions: organization permissions - the permissions of the user in the currently active organization.

  • org_slug: organization slug - the slug of the currently active organization that the user belongs to.

  • org_role: organization role - the role of the user in the currently active organization.

If you would like to add custom claims to your session token, you can .

Validate session tokens

If you're using the middleware provided by our OneAuxilia SDKs, this is all handled automatically in every request. If you're not using the middleware, you can still use the respective helpers provided by the SDKs to validate the tokens.

You can also create custom tokens using a .

RFC 7519
RFC 7519
RFC 7519
RFC 7519
RFC 7519
user impersonation
customize it
JWT template