Skip to content
Scalekit Docs
Talk to an Engineer Dashboard

Organization session policy

Override application-level session timeouts for specific organizations with custom absolute and idle session policies

By default, all organizations inherit the session policy configured at the application level — covering absolute session duration and idle timeout. When an enterprise customer requires stricter or different session controls than your application defaults, you can set a custom session policy on a per-organization basis.

Scalekit always enforces the stricter of the two (application vs. organization) at session creation time, so organization policies can only tighten — not relax — your application-level defaults.

How it works

Section titled “How it works”

Each organization can either inherit the application session policy or define its own. The two settings you can customize per organization are:

SettingBehavior
Absolute session timeoutMaximum session lifetime regardless of activity. Scalekit applies min(app value, org value).
Idle session timeoutInactivity period after which the session expires. Enabled if either the app or org has it on; duration is min(app value, org value).

Access token lifetime is not configurable at the org level. It remains an application-level setting only.

Set up custom session policy for an organization

Section titled “Set up custom session policy for an organization”

Prerequisites

Section titled “Prerequisites”

Enable the Session Policy feature for an organization before configuring a custom policy. Navigate to Dashboard > Organizations > [Organization] > Overview > Edit and turn on Session Policy feature. You can also use the organization settings API.

Enable session policy feature for organization.

Configure via dashboard

Section titled “Configure via dashboard”

Once the Session Policy feature is enabled for the organization, you can configure a custom policy for the organization via the Scalekit dashboard.

  1. Go to Dashboard > Organizations and open the organization.
  2. Click the Session Policy tab.
  3. Select Custom to apply org-specific settings, or Application to revert to defaults.
  4. Set the Absolute session timeout and Idle session timeout for the organization.
  5. Click Save.

Edit session policy for the organization.

Let org admins self-serve via Hosted Widgets

Section titled “Let org admins self-serve via Hosted Widgets”

You can let your customers manage their own session policy through Hosted Widgets — an embeddable self-service portal that lets your customers manage organization and user-level settings. When the Session Policy feature is enabled for an organization, the Session Policy widget becomes available in the Hosted Widget portal.

Configure via API/SDK

Section titled “Configure via API/SDK”

  1. Get the current session policy

    Retrieve the active session policy for an organization to display it in your settings UI or audit the current configuration.

    Get session policy
    try {
      const policy = await scalekit.organization.getOrganizationSessionPolicy('org_12345');
    

      // policySource: 1 = APPLICATION (inheriting defaults), 2 = CUSTOM (org-specific values active)
      console.log('Policy source:', policy.policySource);
      console.log('Absolute timeout (minutes):', policy.absoluteSessionTimeout);
      console.log('Idle timeout enabled:', policy.idleSessionTimeoutEnabled);
    } catch (error) {
      console.error('Failed to get session policy:', error.message);
    }

  2. Set a custom session policy

    Apply a custom policy when an organization requires different session durations than your application defaults.

    Set custom session policy
    try {
      const updated = await scalekit.organization.updateOrganizationSessionPolicy('org_12345', {
        policySource: 'CUSTOM',
        absoluteSessionTimeout: 480,
        absoluteSessionTimeoutUnit: 'MINUTES',
        idleSessionTimeoutEnabled: true,
        idleSessionTimeout: 60,
        idleSessionTimeoutUnit: 'MINUTES',
      });
    

      console.log('Policy updated:', updated.policySource);
    } catch (error) {
      console.error('Failed to update session policy:', error.message);
    }

  3. Revert to application defaults

    Remove the custom policy and restore the organization to the application-level session settings.

    Revert to application defaults
    try {
      await scalekit.organization.updateOrganizationSessionPolicy('org_12345', {
        policySource: 'APPLICATION',
      });
    } catch (error) {
      console.error('Failed to revert session policy:', error.message);
    }