Session configuration
Session configuration defines tenant-level controls for how long Logto sign-in sessions stay active and how session-related access policies are enforced.
This page covers:
- Session TTL configuration
- Max concurrent authenticated devices per app
Session TTL configuration
Session TTL determines the maximum lifetime of the Logto OIDC sign-in session. It is a tenant-level setting: once configured, it applies to all apps and authentication flows in that tenant.
Default behavior
- By default, session TTL is 14 days.
- If no custom TTL is configured, Logto continues to use this default value.
Configure via Logto Console
You can configure session TTL in Console under:
Console > Tenant > Settings > OIDC settingsUse Session maximum time to live to update the value.
Console uses days for input and display, while the underlying OIDC session config/API uses seconds.
Configure via Management API
Use these endpoints to read and update OIDC session configuration:
GET /api/configs/oidc/sessionPATCH /api/configs/oidc/session
Example (ttl in seconds):
curl https://[tenant-id].logto.app/api/configs/oidc/session \
-H 'authorization: Bearer <management_api_access_token>'
curl -X PATCH https://[tenant-id].logto.app/api/configs/oidc/session \
-H 'authorization: Bearer <management_api_access_token>' \
-H 'content-type: application/json' \
--data-raw '{"ttl":1209600}'
1209600 seconds = 14 days.
For OSS deployments, restart the service instance after changing logto-config so the server can pick up the latest OIDC settings.
To apply OIDC config updates automatically without restarting the service, enable central redis cache.
Max concurrent authenticated devices per app
Max concurrent authenticated devices per app is an app-level control that limits how many active grants each user can keep for a specific app.
This is configured through the maxAllowedGrants field in application customClientMetadata.
Learn more in Application data structure.
Behavior
When maxAllowedGrants is set, Logto evaluates the user's active grants for the current app on every successful authorization.
If the number of active grants exceeds the limit, Logto revokes the oldest grants first.
If maxAllowedGrants is not set, there is no concurrency limit.
Configure via Logto Console
You can configure this in each app's details page under:
Console > Applications > Application details > Concurrent device limit
Set the maximum number of concurrent active grants (devices) per user for the current app.
This setting is not supported for machine-to-machine apps, protected apps, and SAML apps.
Related resources
Sessions Manage user sessions Manage user authorized apps (grants)Application data structure: maxAllowedGrants
Interact with Management API