Session & Token Management
How Antei manages sessions, scoped tokens, and secure authentication across its application and Vault system.
Session & Token Management
Antei enforces robust session control and token verification mechanisms to ensure secure access across all application modules — including Vault, integrations, and critical workflows. Sessions and tokens are encrypted, scoped, and rate-limited for compliance-grade protection.
Session Types & Expiry
| Session Type | Timeout Duration | Behavior on Expiry |
|---|---|---|
| App Session | 10 min inactivity | User is logged out and must re-authenticate |
| Vault Session | 5 min inactivity | Password prompt required; active across all modules |
| Scoped Tokens | 5–15 minutes | Automatically expires; must be regenerated securely |
- Sessions are device-specific
- Vault sessions expire independently of app sessions
- Expiry is enforced by backend system time, not just browser events
Token Architecture
Antei uses opaque, encrypted tokens backed by secure infrastructure:
- Stored in Postgres Database with SHA-256 hashing
- Not stored in browser local/session storage
- Passed securely via URL params or internal context
- Validated and decoded before any data access or processing
Scoped Token Flow
Scoped tokens are generated dynamically for operations such as:
- Vault file previews
- Temporary access to download links
- One-time API routing for background jobs
Each token is:
- Scoped to a user, org, and action
- Time-limited and invalidated automatically
- Logged and tracked in session activity history
📌 Example: A user viewing a tax document from Vault uses a scoped token valid for 5 minutes.
API Keys & Environments
Antei supports API keys for integration use across environments:
| Key Type | Description | Use Case |
|---|---|---|
| Production | Access to live org data | Real-time automation, data syncs |
| Staging | Test data workflows and development | QA testing, sandbox integrations |
- Keys are org-specific, role-scoped, and non-retrievable after creation
- Rotate keys regularly and disable unused ones from Settings → Access Tokens
API Protection & Rate Limiting
Every request to Antei’s platform APIs passes through security checks:
| Layer | Purpose |
|---|---|
| Rate Limiting | Prevents abuse using per-org, per-token rules |
| Token Verification | Validates expiry, hash signature, and origin |
| User Binding | Auth token must match active user session |
| Org Authorization | Ensures the user belongs to the org in context |
| Permission Enforcement | Enforces resource-level access based on user role |
Authentication Flow
Each protected route follows this pipeline:
- Rate Check — Controls frequency of access
- Token Validation — Checks SHA-256, expiry, and presence
- User Association — Token must match logged-in user
- Org Binding — Prevents cross-org token abuse
- Permission Evaluation — Verifies user role against resource access matrix
Vault-Specific Controls
Vault enforces additional authentication logic:
- Sessions expire after 5 minutes of inactivity, requiring password
- Vault sessions span across modules but remain sandboxed
- Every file action uses scoped, auto-expiring tokens
- Events are separately tracked in Audit Trails
Auditability & Observability
- Session token generation, use, and expiry are logged
- Vault events (access, file view, expiry) appear in audit logs
- Admins can see active sessions per user but cannot revoke to prevent accidental invalidation
- Token misuse or errors trigger alert logs for monitoring
Security Highlights
- SHA-256 encrypted tokens
- No browser-side persistent storage
- Rate-limited API access
- Org+user+action scoped auth layers
- Separate controls for Vault
- All flows backed by secure Retool-based storage
Need Help?
For session, token, or Vault access queries, reach out at support@antei.com