The duration of user sessions can be configured from Admin Panel > Security > Account Lock Settings.

We will find two different timeouts that we can configure: for active sessions and for inactive sessions. We can also specify a different duration for the session in the mobile app.

Active session timeout

This time measures the maximum time a user can be logged in without having to log in again. That is, even in a session where the user is actively clicking and navigating, they will be asked to log in again.

The maximum is 24 hours if we decide to enable forced session expiration.

Inactive session timeout

This option controls how long a user's session remains inactive (i.e., without interaction) before automatically closing.

The maximum amount is 480 minutes.

Maximum token duration for the mobile app

This option controls how often the app will ask the user to authenticate. The maximum possible time is 336 hours, which equals 14 days.