Skip to main content
Session security settings are available on Enterprise plans.
Enterprise admins can require dashboard users to reauthenticate on a schedule that fits your organization’s security policies. Two independent controls determine when a dashboard session ends:
  • Idle session duration: How long a session can remain inactive before the user is signed out.
  • Maximum session lifetime: The absolute lifetime of a session, regardless of activity. When exceeded, the user is signed out and must reauthenticate.
If a setting is not configured, Mintlify’s default applies. Both settings accept values between 5 minutes and 14 days (20,160 minutes).

Configure session duration

To review or change session security settings, go to the Single Sign-On page of your dashboard.

Idle session duration

The idle session duration controls how long a session can remain inactive before it expires. Any dashboard request from the user resets the idle timer. Use a shorter idle duration to reduce the risk of unattended sessions being used by someone other than the signed-in user, for example on shared or unlocked devices.

Maximum session lifetime

The maximum session lifetime is the absolute cap on how long a single sign-in can last. It is measured from the moment the user signed in and is not extended by activity. When the maximum lifetime is reached, the user is signed out even if they are actively using the dashboard. Use a maximum lifetime to guarantee that users reauthenticate on a regular cadence, which can help you meet compliance requirements or revalidate access after identity provider changes.

How the settings interact

The two settings apply independently. A user’s session ends at whichever limit is reached first:
  • If the user is inactive for longer than the idle session duration, the session ends.
  • If the maximum session lifetime elapses since sign-in, the session ends even if the user is active.
For example, if you set the idle duration to 1 hour and the maximum lifetime to 8 hours, an actively working user is signed out after 8 hours, and an idle user is signed out after 1 hour.

Restrict dashboard access by IP

Use the IP allowlist to restrict dashboard access to a set of trusted networks. When the allowlist has one or more entries, only requests from those IPs or ranges can sign in to or use the dashboard. When the allowlist is empty, the dashboard is accessible from any IP address.
If your current IP address is not on the allowlist, you can lock yourself out of the dashboard. Confirm your IP is included before saving.
To configure the allowlist, go to the Network access page of your dashboard.
  • Add an entry: Enter an IPv4 or IPv6 address, or a CIDR range (for example, 203.0.113.7 or 10.0.0.0/8), then select Add. Adding the first entry enables the allowlist.
  • Remove an entry: Select the × on any entry. Removing the last entry disables the allowlist.
  • Check your IP: Your current IP address is shown below the entry list so you can confirm it is covered before saving changes.
The status badge next to Allowed IP addresses shows Active when at least one entry is present and Disabled when the list is empty.

Audit logging

Changes to session security settings are recorded in your organization’s audit logs under the org category. Look for these actions to review who updated the settings and when:
  • org.session_security_session_duration_updated
  • org.session_security_session_duration_deleted
  • org.session_security_max_session_lifetime_updated
  • org.session_security_max_session_lifetime_deleted
  • org.session_security_ip_allowlist_updated