Docs / Sessions
Sessions are server-authoritative
Create on server, run check in browser, submit result on server, then enforce from signed outcome.
Session primitives
Create
Server creates a session with mode and optional user reference.
Model access
Short-lived model access token scoped to one session, issued server-side for browser biometric runtime.
Submit result
Server submits biometric or checkbox result and receives canonical outcome plus signed token when eligible.
Idempotency
Use idempotency keys on create and result-submission paths to prevent duplicate effects.
Expiry
Model access tokens expire quickly. Treat token expiry as recoverable by requesting fresh model access.
Retries
Retry network-safe operations with bounded backoff and preserve idempotency keys.
Recommended behavior
- Never issue sessions from the client directly.
- Never enforce based on browser event alone.
- Persist idempotency keys and request logs for auditability.
- Track session age to detect stale flows and timeout hotspots.