How long does a Cosmo session last?

Sessions renew every 8 hours during active use. They terminate after 72 hours of inactivity. The maximum lifetime is 14 days from creation, regardless of activity.

Which plan is Session Management available on?

Session management applies to all Cosmo plans: Free, Pro, Scale, and Enterprise. The session policies are the same across all plans.

What triggers the 72-hour inactivity timeout?

The timer runs from the last user activity. Any action in Cosmo Studio resets it. After 72 hours with no activity, the session terminates and the user must log in again.

Which login methods are supported?

Email and password, Google, GitHub, and SSO via an OIDC identity provider. Organizations on Enterprise can configure SSO for centralized authentication.

Which operations require email confirmation?

High-risk operations such as organization deletion require email confirmation as an additional step before they proceed.

Can session policies be customized?

The session policies follow industry standards established by authorities like Auth0 and Cloudflare. Enterprise organizations can configure SSO with their own identity provider, which may provide additional session control.

Session Management for GraphQL Platform | Cosmo by WunderGraph

The problem

Sessions without limits create exposure

Balancing security and usability in session management is hard. Sessions that never expire create risk. Sessions that expire too often frustrate users. Neither extreme is acceptable.

Sessions that never expire are a security risk

Indefinite sessions mean a compromised credential grants permanent access. There is no forcing function for users to reauthenticate, even after extended periods.

Abandoned sessions stay active

When engineers leave for vacation or switch machines without logging out, their sessions remain open. Anyone who accesses the browser inherits their access.

Sensitive operations need extra confirmation

A single authenticated session protecting destructive actions — like organization deletion — creates risk from accidental clicks and unauthorized access with valid credentials.

Our solution

Calibrated policies that balance security and usability

Cosmo session policies follow standards set by industry leaders. Active users are never interrupted. Inactive sessions close automatically. Destructive operations require an extra confirmation step.

How sessions work

Sessions are created when a user authenticates via password, Google, GitHub, or SSO.
During active use, sessions renew every 8 hours automatically.
If a session has no activity for 72 hours, it terminates automatically.
Regardless of activity, sessions expire after a maximum of 14 days from creation.
After the maximum lifetime, the user must reauthenticate to continue.
High-risk operations — such as organization deletion — require email confirmation as an additional step.

Security by default. No configuration required.

Session Management

Before & After

Before Cosmo	With Cosmo
No session expiration policy	14-day maximum session lifetime, enforced automatically
Abandoned sessions stay active indefinitely	72-hour inactivity timeout terminates sessions automatically
Constant reauthentication during active work	8-hour session renewal while the user is active
Destructive operations protected only by session	High-risk operations require email confirmation

Login methods

Multiple authentication options

Email and password: Standard credential authentication
Google: Social login via Google OAuth
GitHub: Social login via GitHub OAuth
SSO: OIDC identity provider (Enterprise)

How Cosmo Session Management works

01

Renews every 8 hours.

Active renewal

While a user is active in Cosmo Studio, their session renews every 8 hours. Continuous work proceeds without interruption.

02

72-hour timeout.

Inactivity timeout

When a session has no activity for 72 hours, it terminates automatically. The user must log in again to continue. Abandoned sessions don't persist.

03

14-day maximum.

Maximum lifetime

All sessions have a maximum lifetime of 14 days from creation, regardless of activity. After 14 days, reauthentication is required.

04

Email confirmation.

High-risk confirmation

Sensitive operations like organization deletion require email confirmation before they proceed. This prevents accidental or unauthorized destructive actions.

What's included

Secure sessions on every plan

Available on Free, Pro, Scale, and Enterprise.

8-hour active renewal

Sessions renew every 8 hours during active use. Engineers working throughout the day are never interrupted by unexpected logouts.

72-hour inactivity timeout

Inactive sessions terminate automatically after 72 hours. Abandoned browser tabs don't remain authenticated indefinitely.

14-day maximum lifetime

All sessions expire after 14 days from creation, regardless of activity. Users reauthenticate regularly without requiring administrator action.

Email confirmation for high-risk operations

Destructive operations like organization deletion require email confirmation before they proceed. Defense in depth for the actions that matter most.

Start building with secure sessions

Session management is included on every Cosmo plan, with no configuration required.

Start Free Read the Docs

Sessions that stay secure without interrupting work