Managing Sessions on Native Applications

For native applications, access and refresh tokens are stored on the device to maintain a user’s authenticated state. When a user logs in, the app receives an access token and refresh token, which it stores in a device-specific secure storage location (e.g., iOS Keychain, etc.). As long as the access token is valid and hasn't expired, the user should be considered to have an active session. If the access token expires and a valid refresh token is available, then the refresh token can be used to retrieve a new access token without having the user re-authenticate.

Ending Sessions on Logout

When an authenticated user logs out of your application, the application must ensure that all sessions and their corresponding tokens are revoked.

Deleting Device Authentication State

When a user logs out, all application session data stored in the device's platform-specific secure storage should be deleted.

Revoking the Refresh Token

If the session has a refresh token associated with it, then the application should call the Wristband Revoke Token API to revoke the refresh token.

Deleting the Wristband Authentication Session

Lastly, the application should redirect to the Wristband Logout API, which will cause the Wristband authentication session to be deleted.