Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.novacula.io/llms.txt

Use this file to discover all available pages before exploring further.

A session is a credential issued to a single browser, IDE, or programmatic client after a successful login. It carries the user identity plus the active organization the session is currently scoped to. Every UI action and every GraphQL query reads its tenant scope from the session.

Where sessions live

Sessions are stored on the Session table in the control plane. Each row carries:
  • userId and activeOrganizationId.
  • expiresAt — sliding expiry; refreshes on activity.
  • ipAddress and userAgent — populated from the request that created the session.
  • impersonatedBy — set when a system admin is acting as another user.
API keys are not sessions. See API keys for that flow.

Viewing your sessions

Open AccountSessions. Each row shows IP, user agent, created-at, last-active, and a marker for the session you’re viewing right now. Use Revoke to terminate any session immediately — useful for shared devices, lost laptops, or an unrecognized entry. You cannot revoke your current session from this panel; log out instead.

Switching active organization

When you select a different org from the org switcher, better-auth updates activeOrganizationId on the same session. The session token doesn’t change; only its tenant scope. Tabs you have open on the old org will start returning data from the new one on the next refetch.

Logout

Logout deletes the current session row and clears the cookie. Other devices stay logged in until you revoke them or they expire on their own.

If you lost your password

There is no self-service password reset today — email-driven flows are blocked on email transport landing in the platform. Two paths exist instead:
  • Ask an admin in your organization. Owners and admins can reset a member’s password from the Members page (see Members and invitations). The reset path also revokes the user’s existing sessions in the same step, so the next sign-in is on a fresh credential.
  • Change while signed in. If you do remember your current password, use Change password from Account instead — it doesn’t require email and revokes other sessions as a side effect.
Self-service Forgot password from the sign-in page is on the roadmap and ships together with the email transport.

When a system admin impersonates you

A system admin can impersonate any user from the admin console. While impersonating:
  • A new session is created with impersonatedBy set to the admin’s user id.
  • All actions are recorded in the audit log under the admin’s identity, not yours.
  • Impersonation sessions show up in your sessions list with a clear marker so you can revoke them yourself if you ever see one you didn’t expect.

Session security checklist

  • Revoke unrecognized sessions immediately and rotate your password.
  • Never paste session cookies into a chat or screenshot.
  • Set up SSO if your organization supports it — fewer credentials in circulation.
  • Use API keys for automation, not your personal session.