Session.
The state representing an authenticated user's current interaction with an application, typically backed by a token (cookie, JWT, or opaque session ID).
Session lifetime is the most-tuned variable in production CIAM. Too long and theft is catastrophic; too short and re-auth friction depresses engagement. The 2026 default is 15-minute access tokens plus 30-day rotating refresh tokens, with sensitive actions requiring step-up auth even within a valid session.
Common questions
How long should a session last?
How do I revoke a session?
Are JWT sessions secure?