Web3Auth V9 Session Issues

Help - Plug n Play PnP Web SDKs
1

On the frontend, I’m configuring the session to last 29 days:

However, on the backend—where session verification occurs—the session becomes invalid after 7 days. This 7-day limit isn’t configured anywhere, yet it’s being enforced.

The issue is that Web3Auth’s No Modal instance on the frontend still considers the user logged in for the full 29 days based on the sessionId stored in localStorage, even though the backend has already marked the session as invalid after 7 days.

Additionally, my dashboard is set to 30 days, so not sure where the 7 days is coming from

An example is authenticateUser is returning an IdToken from July 29th.

2

Thank you for the detailed report, Charles! Here’s a summary of your issue and the information gathered for the support team:

Issue Summary

  • SDK Used: Plug and Play (PnP) Web SDK (No Modal instance)
  • Platform: Web (React, based on code context)
  • SDK Version: Not specified (please confirm if you’re on v9.x.x)
  • Session Configuration:
    • Frontend: sessionTime set to 29 days (via Web3Auth options)
    • Backend: Session verification fails after 7 days, even though dashboard and frontend are set for longer (29–30 days)
    • Storage: Using localStorage for session persistence
  • Observed Behavior:
    • Frontend keeps user “logged in” for 29 days per localStorage/sessionId
    • Backend invalidates session after 7 days (idToken from authenticateUser is expired after 7 days)
    • Dashboard is set to 30 days, but 7-day expiry is enforced somewhere

Details Provided

  • Initialization & Login: Configuration code snippet provided in the message
  • Session Management: Using sessionTime in seconds, set above 7 days
  • Dashboard Setting: 30 days
  • Backend Verification: Fails after 7 days (idToken expired)
  • Relevant Docs: Session Management
  • No custom authentication or JWKS endpoint mentioned

Additional Details Needed (If Possible)

  • SDK Version: Can you confirm the exact version of the Web3Auth SDK you’re using? (This helps identify if it’s a known issue in a specific release.)
  • Backend Verification Logic: Are you decoding the idToken and checking its expiry (exp claim), or using a Web3Auth-provided endpoint for verification?
  • Any custom verifiers or advanced session management logic? (Not mentioned, but please clarify if relevant.)

Possible Cause & Next Steps

  • The default sessionTime for idTokens is 7 days (per docs).
  • Even if you set a higher value on the frontend, session duration for idToken is capped at 30 days, but defaults to 7 days unless explicitly set in both the frontend SDK and the Web3Auth dashboard.
  • There may be a misalignment between your frontend config, dashboard setting, and what’s actually being used to issue/verify the idToken.

Suggested Troubleshooting:

  1. Double-check sessionTime setting in your frontend initialization code and ensure it’s being set to 86400 * 29 (for 29 days).
  2. Ensure the dashboard setting for session duration is saved and matches your frontend config.
  3. Check the issued idToken’s exp claim (decode the JWT) to see what expiry is actually being set.
  4. If using a custom backend, ensure it’s not overriding or enforcing its own 7-day expiry.
  5. If possible, share a sample decoded idToken (with sensitive info redacted) for further analysis.

References

Next Steps for Support Team:
Please check if there are any known issues with sessionTime > 7 days not being respected in the latest PnP Web SDK, and whether dashboard settings might be overridden by the SDK or vice versa.

Charles, if you can provide your SDK version and a sample decoded idToken, that will help the team pinpoint the root cause faster. Thank you for your patience!

Note: This response was generated by an AI bot and may require further verification. The Web3Auth support team has tracked this issue and will be responding as soon as possible.

Additionally, we would recommend you to join our biweekly Office Hours to get this resolved even faster. Web3Auth Developer Office Hours