#Session Security

#Overview

When you sign in to the AiDial portal, the identity provider creates a signed session and the portal resolves your role, tenant, and project scope. The browser receives only the session details needed for the user interface; sensitive access tokens stay server-side.

Browser code must not send X-API-Key. API keys are for trusted server-side integrations, not portal sessions.

Page access and data access are checked by the portal service. Navigation visibility is only a convenience and is not a security boundary.

#Session Expiry

Your session can expire or be invalidated under these conditions:

Inactivity timeout — If you have not interacted with the portal for the configured idle period, your session can expire and you will be prompted to sign in again.
Absolute timeout — Regardless of activity, your session can expire after the configured maximum duration.
Concurrent-session eviction — If an older session is revoked because of the active-session limit, that browser is redirected to the access-denied state.
Manual revocation — If you or an authorised administrator revoke a session, that session is treated as no longer valid.

The portal can show an idle-warning dialog before signing you out. If the session-checking service is temporarily unavailable, the portal may show a non-blocking warning instead of forcing an immediate sign-out.

#Signing Out

All portal users can sign out at any time using the sign-out option in the portal.

The sign-out button posts to POST /api/auth/signout with the portal CSRF token. The route clears the current browser's session and CSRF cookies, records a sign-out lifecycle audit event when the session context is available, and redirects to Zitadel's OIDC end-session URL when an ID token is present. If the identity-provider logout URL is unavailable, the current browser is still signed out locally.

Signing out affects the current browser session. To end sessions on other devices, use the session revocation controls described below.

#Session Management in Settings

Customer roles (client_admin, client_manager, and client_staff) have access to session management features in the Settings area of the portal:

View active sessions — See a list of your currently active sessions, including information about when and where each session was created.
Revoke individual sessions — End a specific non-current session (for example, a session left open on another device).
Sign out other devices — Revoke all sessions except your current one.

These features help you maintain control over your account security, especially if you suspect unauthorised access.

The current session is not revocable from the Settings panel; use the normal sign-out flow for the current browser.

#Session Revocation by Administrators

Client administrators (client_admin) can also view and revoke sessions for other users within their organisation from the Team surface. The Team table exposes Manage sessions only for client administrators, which opens /team/[userId]/sessions.

Revocation requests verify that the target session belongs to the target user before revoking it. Administrators cannot revoke their own sessions through the team-management route; they must use the normal sign-out or own-session controls.

#Partner Roles

Partner roles (partner_admin and partner_user) can sign out of the portal using the standard sign-out option. Partner roles do not have access to the Settings session-management surface. Partner roles cannot view active session lists, revoke individual sessions, or sign out other devices from the portal.