Session timeout
How Meridian handles idle sessions, automatic re-authentication, and forced logout.
14‑day session cookie
Meridian issues a signed, HTTP‑only session cookie with a fixed 14‑day lifetime. The cookie carries no personally identifiable information — only an opaque session reference that the server validates on every request. If the cookie is absent, expired, or tampered with, the client is treated as unauthenticated.
Automatic re‑authentication
When a protected route detects an expired session, the loader redirects the browser to the KeyAuth OAuth2 authorize endpoint. Because Meridian stores a long‑lived refresh token (encrypted server‑side), the user is silently re‑authenticated and returned to the original page without seeing a login form. This flow completes in under 800 ms on a warm cache.
Forced logout
Administrators may revoke any session from the dashboard. On the next authenticated request the server returns a 401, the client clears the cookie, and the browser lands on the public home page. Revocation propagates globally within 60 seconds via Upstash KV pub/sub, so a stolen session token is useless almost immediately.
Idle timeout (optional)
Teams on the Enterprise plan can enable an idle timeout (5–60 minutes). A lightweight client‑side heartbeat pings the server every 30 seconds. If the server stops receiving heartbeats, the session is marked idle and the refresh token is rotated, forcing re‑authentication on the next activity.
Need help configuring session policies? Contact support.