Logins and Sessions

February 20, 2015

We have a lot planned for 2015. Today we’re excited to make our first announcement of the new year.

Managed Sessions

You may have occasionally been on a site that could show you all outstanding sessions, even from different devices. Often they have the ability to terminate those sessions too.

This provides both added security and peace of mind. Security by ending forgotten sessions. Peace of mind in knowing what sessions are (or aren’t) still active.

With our new Managed Sessions, your site can have this too. As usual, we’ve distilled it down to a super simple API.


As you can see, managed sessions also track IPs and client information (brower’s user agent, mobile app identifier, etc.), making it easy to see which session is which.

To give everyone a taste, we’ve enabled it for all plans. Our Develop and Grow plans support sessions up to 24 hours–useful for both normal, everyday logins and development/testing. Our Accelerate and higher plans support sessions up to a year–perfect for modern applications with multiple authentication channels.

For configuration, see Realm Settings in our UI or the Realms API. Also see Sessions Concepts or the Sessions API.

Login tokens

Next up, let’s talk about login tokens. We’ve used login tokens from the beginning. But now we’ve made them intelligent.

Login tokens are now JWT-encoded. If you’re not familiar with JWT (JSON web tokens), a quick background is in order.

JWT is a standardized way of securely encoding data and sending it between a user and one or more backend services. JWTs look like ordinary strings, so they’re easy to pass around. They’re cryptographically signed, so they can’t be changed without detection. And they can contain actual data, making them perfect for login tokens.

All of AuthRocket’s login tokens are now JWT compatible. For legacy code, this changes nothing. Our system will still accept the whole token and perform login event validation as it always has.

For new (or updated) code, this opens up a new world of opportunities though. Our login tokens can now be verified and checked for expiration without making an API call, which has the potential to speed things up a bit.

The tokens also contain basic user information, such as user ID and name. This enables your app to quickly show things like your user’s name on a nav bar without making an API call just for that.

The new login tokens are also really well suited for use with today’s Javascript frameworks, such as Angular, Backbone, or Ember. Parse them client-side (without verification) for UI display and management and send them to your app server (which parses them with verification) too.

For more, read our login tokens docs.

 Questions? Thoughts? As always, we’d love to hear from you.