Skip to main content

The Scute Session Object

Scute Session represents the authentication tokens returned after successful authentication. This object contains JWT tokens used to authenticate API requests.

Attributes

access
string
required
JWT access token for API authenticationExample: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...
refresh
string
JWT refresh token for obtaining new access tokens (only included if app has refresh_payload enabled)Example: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...
csrf
string
required
CSRF token for request validationExample: a1b2c3d4e5f6g7h8i9j0
access_expires_at
integer
required
Unix timestamp when the access token expiresExample: 1705318200
refresh_expires_at
integer
Unix timestamp when the refresh token expires (only included if refresh token is present)Example: 1737940200
user_id
string
required
ID of the authenticated user (not included for M2M sessions)Example: usr_1234567890
key_id
string
required
ID of the RSA key used to sign the JWT tokensExample: key_abc123
client_name
string
Client name for M2M (machine-to-machine) sessions onlyExample: api-service-prod

Example Scute Session Object

User Session (with refresh token)

{
  "access": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1dWlkIjoidXNyXzEyMzQ1Njc4OTAiLCJhaWQiOiJhcHBfMTIzIiwid2lkIjoid3NfMTIzIiwiZXhwIjoxNzA1MzE4MjAwfQ...",
  "refresh": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1dWlkIjoidXNyXzEyMzQ1Njc4OTAiLCJhaWQiOiJhcHBfMTIzIiwid2lkIjoid3NfMTIzIiwiZXhwIjoxNzM3OTQwMjAwfQ...",
  "csrf": "a1b2c3d4e5f6g7h8i9j0",
  "access_expires_at": 1705318200,
  "refresh_expires_at": 1737940200,
  "user_id": "usr_1234567890",
  "key_id": "key_abc123"
}

User Session (without refresh token)

{
  "access": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1dWlkIjoidXNyXzEyMzQ1Njc4OTAiLCJhaWQiOiJhcHBfMTIzIiwid2lkIjoid3NfMTIzIiwiZXhwIjoxNzA1MzE4MjAwfQ...",
  "csrf": "a1b2c3d4e5f6g7h8i9j0",
  "access_expires_at": 1705318200,
  "user_id": "usr_1234567890",
  "key_id": "key_abc123"
}

M2M (Machine-to-Machine) Session

{
  "access": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJhaWQiOiJhcHBfMTIzIiwid2lkIjoid3NfMTIzIiwibTJtIjp0cnVlLCJleHAiOjQ4NjExODIwMDB9...",
  "refresh": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJhaWQiOiJhcHBfMTIzIiwid2lkIjoid3NfMTIzIiwibTJtIjp0cnVlLCJleHAiOjQ4NjExODIwMDB9...",
  "csrf": "a1b2c3d4e5f6g7h8i9j0",
  "access_expires_at": 4861182000,
  "refresh_expires_at": 4861182000,
  "client_name": "api-service-prod",
  "key_id": "key_abc123"
}

JWT Token Payload

The access and refresh tokens contain the following claims:
uuid
string
User ID (only in user sessions, not in M2M sessions)
aid
string
required
Application ID
wid
string
required
Workspace ID
m2m
boolean
Flag indicating this is a machine-to-machine session (only in M2M tokens)
crid
string
Credential ID (only in WebAuthn sessions)
exp
integer
required
Token expiration time (Unix timestamp)
uid
string
required
Unique token identifier for session management