Skip to content
Visit Kinde’s marketing website Kinde Docs
  • Auth and access
  • Manage authentication

Authenticated sessions across multiple applications

Kinde supports shared authenticated sessions across applications. For example, in a scenario where you have multiple apps running on separate subdomains, and you want to share a session between apps without prompting the user to sign in again.

Session cookies

Link to this section

On the first sign in, Kinde creates an SSO cookie for the authenticated user. Until this cookie expires or you request that the user signs in again (using the prompt parameter), all your apps can initiate sign in requests without prompting.

Offline scopes and refresh tokens

Link to this section

If you include an offline scope in your request, you can maintain long-running sessions via refresh tokens. This works both in back-end apps and in web apps.

Kinde supports short-lived refresh and refresh token rotation for increased security of browser-based and mobile apps. In this case, on page reload, the SDK will resume the session via the refresh token exchange.

Set up overview

Link to this section
  1. Create two or more Kinde apps.
  2. Enable the same authentication method for both apps.
  3. In each app, create a link to the other app using the applicable login method. You might do this using an application switcher, for example.
  4. Sign in to one app.
  5. Select a link to sign in to the second app. You should be signed in to the second app without re-authentication.

Example

Link to this section

Say you are signed into your Admin app and want to switch to the Employee app. Here’s how it might look.

Example of a multi-application session

As long as an authenticated session exists, users should be able to move seamlessly between applications.

Client-specific refresh token cookies

Link to this section

By default, applications on the same custom domain share a single refresh_token cookie. Signing in to one application can overwrite the refresh token set by another, which may break the other app’s session.

Kinde supports client-specific refresh token cookies to avoid this. When enabled for an application, the refresh token is stored in a uniquely named cookie (for example, refresh_token_abc123), so each app maintains its own refresh token independently. Enable this per application under Settings > Applications > [your app] > Tokens > Refresh token cookies. A custom domain must be configured. See Refresh tokens for more detail.

See also multi-domain authentication.

Related articles

Useful links

  • Join the community

    Get support from the Kinde team and expert users in the Kinde community

    Join via Slack or Discord

  • Contact support

    Chat to support through the Kinde help widget, or send a question via email

    Send an email