Session & Token Management

Antei enforces robust session control and token verification mechanisms to ensure secure access across all application modules — including Vault, integrations, and critical workflows. Sessions and tokens are encrypted, scoped, and rate-limited for compliance-grade protection.

Session Types & Expiry

Session Type	Timeout Duration	Behavior on Expiry
App Session	10 min inactivity	User is logged out and must re-authenticate
Vault Session	5 min inactivity	Password prompt required; active across all modules
Scoped Tokens	5–15 minutes	Automatically expires; must be regenerated securely

Sessions are device-specific
Vault sessions expire independently of app sessions
Expiry is enforced by backend system time, not just browser events

Token Architecture

Antei uses opaque, encrypted tokens backed by secure infrastructure:

Stored in Postgres Database with SHA-256 hashing
Not stored in browser local/session storage
Passed securely via URL params or internal context
Validated and decoded before any data access or processing

Scoped Token Flow

Scoped tokens are generated dynamically for operations such as:

Vault file previews
Temporary access to download links
One-time API routing for background jobs

Each token is:

Scoped to a user, org, and action
Time-limited and invalidated automatically
Logged and tracked in session activity history

📌 Example: A user viewing a tax document from Vault uses a scoped token valid for 5 minutes.

API Keys & Environments

Antei supports API keys for integration use across environments:

Key Type	Description	Use Case
Production	Access to live org data	Real-time automation, data syncs
Staging	Test data workflows and development	QA testing, sandbox integrations

Keys are org-specific, role-scoped, and non-retrievable after creation
Rotate keys regularly and disable unused ones from Settings → Access Tokens

API Protection & Rate Limiting

Every request to Antei’s platform APIs passes through security checks:

Layer	Purpose
Rate Limiting	Prevents abuse using per-org, per-token rules
Token Verification	Validates expiry, hash signature, and origin
User Binding	Auth token must match active user session
Org Authorization	Ensures the user belongs to the org in context
Permission Enforcement	Enforces resource-level access based on user role

Authentication Flow

Each protected route follows this pipeline:

Rate Check — Controls frequency of access
Token Validation — Checks SHA-256, expiry, and presence
User Association — Token must match logged-in user
Org Binding — Prevents cross-org token abuse
Permission Evaluation — Verifies user role against resource access matrix

Vault-Specific Controls

Vault enforces additional authentication logic:

Sessions expire after 5 minutes of inactivity, requiring password
Vault sessions span across modules but remain sandboxed
Every file action uses scoped, auto-expiring tokens
Events are separately tracked in Audit Trails

Auditability & Observability

Session token generation, use, and expiry are logged
Vault events (access, file view, expiry) appear in audit logs
Admins can see active sessions per user but cannot revoke to prevent accidental invalidation
Token misuse or errors trigger alert logs for monitoring

Security Highlights

SHA-256 encrypted tokens
No browser-side persistent storage
Rate-limited API access
Org+user+action scoped auth layers
Separate controls for Vault
All flows backed by secure Retool-based storage

Need Help?

For session, token, or Vault access queries, reach out at support@antei.com

Documentation Index

​Session & Token Management

​Session Types & Expiry

​Token Architecture

​Scoped Token Flow

​API Keys & Environments

​API Protection & Rate Limiting

​Authentication Flow

​Vault-Specific Controls

​Auditability & Observability

​Security Highlights

​Need Help?