> ## Documentation Index
> Fetch the complete documentation index at: https://docs.antei.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Session & Token Management

> How Antei manages sessions, scoped tokens, and secure authentication across its application and Vault system.

<Icon icon="timer" size={26} color="#4B5563" />

# Session & Token Management

Antei enforces robust session control and token verification mechanisms to ensure secure access across all application modules — including Vault, integrations, and critical workflows. Sessions and tokens are encrypted, scoped, and rate-limited for compliance-grade protection.

***

## Session Types & Expiry

| Session Type      | Timeout Duration  | Behavior on Expiry                                  |
| ----------------- | ----------------- | --------------------------------------------------- |
| **App Session**   | 10 min inactivity | User is logged out and must re-authenticate         |
| **Vault Session** | 5 min inactivity  | Password prompt required; active across all modules |
| **Scoped Tokens** | 5–15 minutes      | Automatically expires; must be regenerated securely |

* Sessions are **device-specific**
* Vault sessions expire independently of app sessions
* Expiry is enforced by backend system time, not just browser events

***

## Token Architecture

Antei uses opaque, encrypted tokens backed by secure infrastructure:

* Stored in **Postgres Database** with **SHA-256** hashing
* Not stored in browser local/session storage
* Passed securely via **URL params** or internal context
* Validated and decoded before any data access or processing

***

## Scoped Token Flow

Scoped tokens are generated dynamically for operations such as:

* Vault file previews
* Temporary access to download links
* One-time API routing for background jobs

Each token is:

* Scoped to a **user, org, and action**
* Time-limited and invalidated automatically
* Logged and tracked in session activity history

📌 Example: A user viewing a tax document from Vault uses a scoped token valid for 5 minutes.

***

## API Keys & Environments

Antei supports **API keys** for integration use across environments:

| Key Type       | Description                         | Use Case                         |
| -------------- | ----------------------------------- | -------------------------------- |
| **Production** | Access to live org data             | Real-time automation, data syncs |
| **Staging**    | Test data workflows and development | QA testing, sandbox integrations |

* Keys are **org-specific**, **role-scoped**, and **non-retrievable** after creation
* Rotate keys regularly and disable unused ones from **Settings → Access Tokens**

***

## API Protection & Rate Limiting

Every request to Antei’s platform APIs passes through security checks:

| Layer                      | Purpose                                           |
| -------------------------- | ------------------------------------------------- |
| **Rate Limiting**          | Prevents abuse using per-org, per-token rules     |
| **Token Verification**     | Validates expiry, hash signature, and origin      |
| **User Binding**           | Auth token must match active user session         |
| **Org Authorization**      | Ensures the user belongs to the org in context    |
| **Permission Enforcement** | Enforces resource-level access based on user role |

***

## Authentication Flow

Each protected route follows this pipeline:

1. **Rate Check** — Controls frequency of access
2. **Token Validation** — Checks SHA-256, expiry, and presence
3. **User Association** — Token must match logged-in user
4. **Org Binding** — Prevents cross-org token abuse
5. **Permission Evaluation** — Verifies user role against resource access matrix

```mermaid theme={null}
flowchart TD
  subgraph User_Activity
    A1[Login via UI or API]
    A2[Inactivity Detected]
    A3[Vault Access Triggered]
  end

  subgraph App_Session_Layer
    B1[10-min Token Issued]
    B2[Token Encrypted - SHA-256]
    B3[Session Validated on Each API Call]
  end

  subgraph Vault_Session_Layer
    C1[5-min Scoped Vault Session]
    C2[Password Prompt Required]
    C3[Token Passed via Secure URL]
  end

  subgraph API_Protection_Layer
    D1[Rate Limit Check]
    D2[Token Validity Verified]
    D3[User-Org-Token Association]
    D4[Permission Matrix Enforced]
  end

  A1 --> B1 --> B2 --> B3 --> D1
  A2 --> B1
  A3 --> C1 --> C2 --> C3 --> D1
  D1 --> D2 --> D3 --> D4
```

***

## Vault-Specific Controls

Vault enforces additional authentication logic:

* Sessions expire **after 5 minutes of inactivity**, requiring password
* Vault sessions span across modules but remain sandboxed
* Every file action uses **scoped, auto-expiring tokens**
* Events are separately tracked in **Audit Trails**

***

## Auditability & Observability

* Session token generation, use, and expiry are logged
* Vault events (access, file view, expiry) appear in audit logs
* Admins can see active sessions per user but **cannot revoke** to prevent accidental invalidation
* Token misuse or errors trigger alert logs for monitoring

***

## Security Highlights

* SHA-256 encrypted tokens
* No browser-side persistent storage
* Rate-limited API access
* Org+user+action scoped auth layers
* Separate controls for Vault
* All flows backed by secure Retool-based storage

***

## Need Help?

For session, token, or Vault access queries, reach out at [support@antei.com](mailto:support@antei.com)
