The **Sessions** page lets you configure how JSON Web Tokens (JWTs) are issued for the current environment. You can manage signing keys, adjust token lifetime and clock skew, and preview the claims structure — all from **Security > Sessions** (`/dashboard/security?tab=sessions`).

## Signing keys

Signing keys are the JSON Web Keys (JWKs) used to sign access tokens for your environment. The page displays three stats cards summarizing key status:

| Card | Icon | Description |
|------|------|-------------|
| **Total Keys** | Key (blue) | The total number of signing keys created in this environment. |
| **Keys Used Today** | CheckCircle2 (green) | The number of keys currently active and used to sign new tokens. |
| **Revoked Keys** | Ban (red) | The number of keys that are no longer active. |

Below the stats cards, a table lists all signing keys with the following columns:

| Column | Details |
|--------|---------|
| **Key ID** | The first segment of the key UUID, rendered in monospace text. |
| **Type** | Key type (`kty`) — e.g. `RSA` or `OKP`. |
| **Use** | Key usage — always `sig` (signature). |
| **Algorithm** | The signing algorithm (e.g. `RS256`, `Ed25519`), shown as an outlined badge. |
| **Status** | A badge indicating the key state: **"In use"** (green), **"Inactive"** (neutral), or **"Revoked"** (red). |
| **Dates** | Created, updated, and revoked timestamps. |
| **Actions** | Inline action buttons (only shown for inactive keys). |

### Create a signing key

Click **"New JSON Web Key"** in the card header to open the creation dialog. Select the desired algorithm from the dropdown (default: RS256) and click **"Save Key"**. The new key is created in an **Inactive** state.

### Activate a key

Click **"Use Key"** on an inactive key row. Only active keys are used to sign new tokens. You can have multiple active keys to support key rotation.

### Revoke a key

Click **"Revoke"** (destructive style) on an inactive key row. Revoked keys remain listed for auditing but are never used to sign new tokens. Tokens previously signed with a revoked key can still be verified using the public key from the JWKS endpoint until they expire.

> **Caution**
>
> Revoking a key is permanent. Once revoked, a key cannot be reactivated.
> Ensure you have at least one active key before revoking others.

## JWT settings

The JWT Settings section controls how tokens are issued for the current environment. Two range sliders let you configure:

| Setting | Range | Default | Description |
|---------|-------|---------|-------------|
| **Token Lifetime** | 0–100,000 seconds | 3,600 seconds (1 hour) | How long an access token remains valid after it is issued. |
| **Allowed Clock Skew** | 0–600 seconds | 60 seconds | The tolerance window for clock differences between the issuer and the verifier. Helps avoid token rejection due to minor time drift. |

The current value in seconds is displayed below each slider. Adjust the sliders and click **"Save Settings"** to apply changes. The button is disabled until you change a value. The new settings take effect for all tokens issued after saving.

> **Tip**
>
> A token lifetime of 3,600 seconds (1 hour) is a reasonable default for most applications.
> Reduce it for high-security environments or increase it for long-lived sessions.

## Claims preview

The claims preview panel shows a live JSON representation of the JWT payload structure for the current environment. It is displayed in a dark-themed code block alongside the JWT settings form. The preview dynamically reflects the current token lifetime value as you adjust the slider.

```json
{
  "root": {
    "iss": "https://id.authdog.com",
    "iat": "{{ ISSUED_TIME }}",
    "exp": "{{ ISSUED_TIME + tokenLifetime }}",
    "groups": "{{user.groups}}",
    "sub": "{{user.externalId}}:{{user.environmentId}}"
  }
}
```

Use this preview to verify the shape and expiry of tokens your application will receive before saving changes.

## Supported algorithms

| Algorithm | Key Type | Description |
|-----------|----------|-------------|
| **RS256** | RSA | RSASSA-PKCS1-v1_5 using SHA-256 |
| **RS384** | RSA | RSASSA-PKCS1-v1_5 using SHA-384 |
| **RS512** | RSA | RSASSA-PKCS1-v1_5 using SHA-512 |
| **PS256** | RSA | RSASSA-PSS using SHA-256 |
| **PS384** | RSA | RSASSA-PSS using SHA-384 |
| **PS512** | RSA | RSASSA-PSS using SHA-512 |
| **Ed25519** | OKP | Edwards-curve Digital Signature Algorithm |

## Related

| Read | To learn how to |
|------|-----------------|
| [Environments](/docs/console/environments) | Manage deployment environments that scope session configuration |
| [Sessions & tokens](/docs/concepts/sessions-tokens) | How issued sessions are validated in your app |
| [Projects](/docs/console/projects) | Select a project before configuring sessions |
