Session Expiry is supported for Okta and OIDC Enterprise connections and is not available for Microsoft Entra ID (Azure AD) connections. Microsoft does not include the
session_expiry claim in Entra ID Tokens.session_expiry claim based on the Interoperability Profile for Secure Identity in the Enterprise (IPSIE) standard for Okta and OIDC Enterprise connections. When enabled, Auth0 captures the session_expiry (represented in seconds as a Unix timestamp) from the upstream Identity Provider (IdP) and includes it in the ID Token issued to your application.
Auth0 consumes the session_expiry claim and synchronizes the local Auth0 session with the upstream IdP’s session lifecycle. This ensures when a user’s session expires at the Enterprise IdP, their Auth0 session also terminates.
How it works
When a user authenticates through asession_expiry enabled Enterprise connection, Auth0:
- Captures the
session_expiryclaim from the upstream IdP’s ID Token. - Calculates session expiration by evaluating specific parameters and sets the final Auth0 session’s expiration to the minimum (earliest) value of the following factors:
- The IdP
session_expiryclaim: The absolute timestamp in an ID Token from the upstream Identity Provider. - Your Auth0 tenant’s default Absolute Expiration setting: The session lifetime limit you configure in Auth0 Dashboard or Management API. To learn more, read Configure Session Lifetime Settings.
- Auth0 Actions [
setExpiresAt]: Any custom expiration timestamp programmatically set during the login transaction with the Post-Login Actionapi.session.setExpiresAt()method.
- The IdP
- Uses a Post-Login Action you configure during enablement to pass the final evaluated session expiration to your application by injecting it as a custom claim into the Auth0-issued ID Token.
session_expiry claim is a UNIX timestamp in seconds representing the absolute expiration limit for the user’s session:
| Claim | What it represents | Scope |
|---|---|---|
exp | ID Token lifetime (typically minutes) | Token validation |
session_expiry | Absolute expiration (seconds) | Session management |
session_expiry claim is not a replacement for exp. The ID Token’s own exp remains short-lived and unchanged. session_expiry is a session-level limit included with the token claims.
session_expiry is fixed at login. It is set once when the user authenticates and is not updated when tokens are refreshed. A user already logged in before this feature is enabled will not have session_expiry on their existing session; the claim only appears after their next login.
This feature addresses scheduled session expiry only. For real-time session revocation, like when a user is off-boarded mid-session, we recommend you use Back-Channel Logout.
Enable session expiry enforcement
Configure session expiry enforcement on your Enterprise connection using the Auth0 Dashboard or Management API.- Auth0 Dashboard
- Management API
- Navigate to Auth0 Dashboard > Authentication > Enterprise in the Auth0 Dashboard.
- Find the Okta or OpenID Connect Enterprise connection and select Browse.
- Choose the connection you want to configure.
- Under Settings, enable Use ID Token for Session Expiry.
- Select Save.
Send session expiration to your application
While Auth0 uses the calculated session expiration to manage its own session layer, your downstream applications may also need to know this absolute expiration time to enforce local session limits. Configure a Post-Login Action to inject the final, evaluated session expiration in an Auth0-issued ID Token and pass the token to your application.- Auth0 Dashboard
- Management API
- Navigate to Auth0 Dashboard > Actions > Library in the Auth0 Dashboard and select Build Custom Action.
- Enter a name for the Action, select Login / Post Login as the trigger, and select Create.
- Add the following code to your Action:
- Under the Test panel, select Run and review results.
- Select Deploy.
- Navigate to Actions > Triggers and select Post-Login.
- Locate your Action and drag it into the Login flow. Select Apply.
Use session expiry with Auth0 SDKs
If you use Auth0 SDKs and have configured the Post-Login Action described above, session expiry is enforced automatically. The SDK readssession_expiry from the ID Token at login, persists it with the session, and treats the session as expired once the current time reaches or passes session_expiry:
| SDK type | How expiry is enforced |
|---|---|
| Regular Web App (Next.js, Express, Python) | Middleware clears the session and redirects with prompt=login; getAccessToken() throws SessionExpiredError |
| Single-Page App (React, Angular, Vue) | getTokenSilently() / getAccessTokenSilently() rejects and triggers re-login with prompt=login |
| Mobile (iOS/Swift, Android/Kotlin) | CredentialsManager.credentials() returns noCredentials and the app’s existing login path handles re-authentication |
session_expiry claim into the ID Token. Once set, when a session expires, the SDK behaves the same as any other session expiry: the user is redirected to log in. No additional error handling is required.
Add session expiry values to your application
An optional step is to add session expiration values to your application. For example, your application can readsession_expiry to show users a session-expiring warning or you can bind your application’s own session lifetime to the upstream IdP’s value.
- Single-Page App
- Regular Web App
- Mobile (Swift)
session_expiry value in a long-lived store, such as a cookie or localStorage, without re-validating it on each read. The value is only meaningful relative to the current wall-clock time.
Verify in tenant logs
After enabling session expiry enforcement, verify session expiry is working by checking tenant logs. Navigate to Auth0 Dashboard > Monitoring > Logs and look for a successful login (s) event for a user authenticating through the configured Enterprise connection. When the upstream IdP’s session_expiry is less than or equal to your tenant’s configured absolute session lifetime, the log entry includes the idp_session_expiry field (a Unix timestamp in seconds):
session_expiry claim and you enable the feature, login fails with an error message: The upstream Identity Provider did not return a session_expiry claim.
Disable session expiry enforcement
- Auth0 Dashboard
- Management API
- Navigate to Authentication > Enterprise in the Auth0 Dashboard.
- Select the connection you want to configure.
- Select the Settings tab.
- Disable Use ID Token for Session Expiry.
- Select Save.