Session Management in the Integration Environment
This guide explains how to manage sessions when working with the FinHub API in the Integration environment, which implements production-equivalent session handling.Session Tokens Overview
When a user logs in through the authentication endpoints, the system creates a session and returns several tokens:Key Session Components
Component | Description | Usage |
---|---|---|
userSessionToken | JWT token for user session validation | Used for session validation and contains user identity claims |
refreshToken | Token used to obtain a new session token without re-authentication | Used when the session token expires |
customerId | Unique identifier for the customer | Reference in customer-related operations |
tenantId | Identifier for the tenant | Used for multi-tenant operations |
Required Session Headers
Every API request in the FinHub Integration environment must include these headers:Header | Description | Required | Example |
---|---|---|---|
Authorization | Bearer token for authentication | Yes | Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9... |
X-Activity-ID | UUID that identifies a specific user activity or flow | Yes | 550e8400-e29b-41d4-a716-446655440000 |
X-Tenant-ID | Tenant identifier for multi-tenant operations | Yes | 1234567 |
X-Session-ID | Optional session identifier for session tracking | No | session-12345678 |
X-Correlation-ID | Optional identifier for request correlation | No | corr-12345678 |
Activity ID Generation
The Activity ID should be a UUID (v4) generated for each distinct user activity or flow. For example:Session Lifecycle Management
Session Creation
A session is created when a user successfully authenticates through the login endpoint. The session includes:- A user session token (JWT)
- A refresh token for token renewal
- An internally managed access token (not exposed to clients)
- User identity information
Token Refresh
In the Integration environment, you can refresh an expired token without requiring the user to re-enter credentials:Session Expiration Handling
To handle session expiration gracefully:- Monitor token expiration: Check the token expiration before making API requests
- Implement automatic refresh: Refresh the token when it’s close to expiration
- Handle refresh failures: If refresh fails, redirect to the login page
Session Termination
To explicitly terminate a session, call the logout endpoint:Session Security Best Practices
Token Storage
Store tokens securely based on your platform:Platform | Recommended Storage | Not Recommended |
---|---|---|
Web Browser | HttpOnly cookies, Session Storage | Local Storage, JavaScript variables |
Mobile Apps | Secure Keychain (iOS), Keystore (Android) | SharedPreferences, UserDefaults |
Server-side | Encrypted database, Redis | Environment variables, config files |
Token Transmission
- Always use HTTPS for all API requests
- Use Bearer authentication scheme in the Authorization header
- Never include tokens in URLs or query parameters
- Implement CSRF protection for web applications
Session Monitoring
- Implement session activity logging
- Monitor for suspicious session activities
- Set up alerts for unusual session patterns
- Implement rate limiting for authentication endpoints
Differences from Playground
Feature | Playground | Integration |
---|---|---|
Token Expiration | Longer (10000s) | Standard (3600s) |
Refresh Token | Not provided | Provided |
Session Headers | Basic | Comprehensive |
Security Requirements | Lenient | Strict |