Skip to main content
Passwork LogoPasswork LogoTechnical guides
search
7.0arrow
search
Version: 7.0

Session tokens

Passwork uses a token-based authentication model with Access Token / Refresh Token pair.

Token system overview

TokenPurposeLifetime
Access TokenAPI request authentication~2.8 hours
Refresh TokenAccess Token renewal36 hours

Why not JWT?

Passwork tokens are random strings, not JWT. For a password manager, this approach provides higher security:

CharacteristicPasswork tokensJWT
FormatRandom Base64 stringJSON with signature
Information in tokenNonePayload with data
ValidationDatabase lookupSignature verification
Token revocationInstant (DB deletion)Requires blacklist

Security advantages:

  • Instant session revocation. If compromise is suspected, administrator or user can immediately terminate any session — token is deleted from database and immediately becomes invalid. JWT continues working until expiration.

  • Full session control. All active sessions are stored on server, allowing tracking devices, IP addresses, and last activity time. Administrator sees complete picture and can manage access.

  • No sensitive data in token. JWT contains payload with user information that can be read (Base64 is not encryption). Passwork tokens are simply random identifiers without any information.

  • Key compromise resistance. If JWT secret key leaks, attacker can create valid tokens for any user. With session tokens, this attack vector doesn't exist.

  • No signing secret key. JWT requires storing private key on server for token signing — another secret to protect, rotate, and control. Passwork session tokens are just random strings, no secret keys needed for generation.

Access Token

Characteristics

ParameterValue
Length256 bits
FormatBase64
String length~44 characters
Entropy256 bits
Default lifetime10,000 seconds (~2.8 hours)

Generation

Access Token is generated with cryptographically secure random number generator:

token = base64(random_bytes(32))

Validation

On each request, server:

  1. Extracts token (from cookie or header, depending on mode)
  2. Looks up token in database
  3. Checks lifetime
  4. Links request to user

Token transmission modes

Passwork uses two Access Token transmission modes depending on client type:

Browser Mode (web application)

For web application, Access Token is transmitted via HttpOnly Cookie:

ParameterValue
HttpOnlyYes — inaccessible to JavaScript (XSS protection)
SecureYes — HTTPS only
SameSiteStrict — CSRF protection

In this mode, browser automatically attaches cookie to each request. Access Token is not returned in response body during authentication — only in Set-Cookie header.

API Mode (desktop, extension, mobile)

For API clients, Access Token is transmitted in Authorization header:

Authorization: Bearer {access_token}

In this mode, Access Token is returned in response body during authentication, and client manages storage independently.

Mode comparison

ParameterBrowser ModeAPI Mode
ClientsWeb applicationDesktop, Extension, Mobile
Token transmissionHttpOnly CookieAuthorization header
XSS protection✓ (HttpOnly)Depends on client
Token managementBrowser (automatic)Client (manual)

Refresh Token

Characteristics

ParameterValue
Length256 bits
FormatBase64
String length~44 characters
Entropy256 bits
Default lifetime129,600 seconds (36 hours)

Purpose

Refresh Token is used to obtain new Access Token without re-authentication. More on renewal process in Token rotation section.

Lifetime configuration

By user roles

Token lifetime is configured at user role level:

SettingDefault value
Access Token lifetime10,000 sec (~2.8 hours)
Refresh Token lifetime129,600 sec (36 hours)

Configuration examples

ScenarioAccess TTLRefresh TTL
Standard user10,000 sec129,600 sec
High security1,800 sec (30 min)14,400 sec (4 hours)
Convenience28,800 sec (8 hours)604,800 sec (7 days)

Session lifecycle

Complete lifecycle

T=0: Authentication. User enters credentials. Server creates Access Token (TTL: 2.8 hours) and Refresh Token (TTL: 36 hours).

T=2.8h: Access Token expired. Client sends Refresh Token. Server issues new tokens. Old Refresh Token is invalidated.

T=36h: Refresh Token expired. Re-authentication required. User enters credentials again.

Alternative scenario — Logout. User clicks "Logout". Both tokens are invalidated. Session terminated.

Token invalidation

All session tokens are invalidated on:

  • User logout
  • Master password change
  • Administrator master password reset

Token rotation

Standard mode (applications)

For web application, browser extension, mobile and desktop apps, strict token rotation policy applies.

When refreshing session, client sends Access Token and Refresh Token simultaneously, and receives new token pair in response. This provides continuous rotation of both tokens, preventing reuse of stolen tokens.

Automation mode (API)

For DevOps tasks and automation, strict rotation is often inconvenient. Therefore, for sessions created via API token generation, alternative mode is available:

  • Access Token only refresh without Refresh Token change
  • Separate Refresh Token renewal when needed

This allows using long-lived Refresh Tokens in scripts and CI/CD pipelines.

Token security

Interception protection

ThreatProtection
Network interceptionHTTPS/TLS required
XSS attackHttpOnly cookies (Browser Mode)
CSRFCSRF Token + SameSite cookies

CSRF Token

Purpose

CSRF Token protects against cross-site request forgery attacks. Required for all modifying operations.

Characteristics

ParameterValue
Size256 bits
FormatHexadecimal (64 characters)
Entropy256 bits
GeneratorCryptographically secure

Usage

CSRF Token is transmitted in header of each request:

X-CSRF-Token: {csrf_token}

Requirements by client type

Client typeCSRF Token
Web application (Browser Mode)✓ Required (generated and validated automatically)
Browser extensionOptional (on client request)
Mobile applicationOptional (on client request)
API— (not used)

Purpose

Optional additional protection feature for Browser Mode. Binds session to client context, protecting against cookie theft and session hijacking.

How it works

When enabled, server computes signature based on:

  • Client IP address
  • Browser User-Agent
  • Session identifier
  • Secret key (60 characters, ~357 bits entropy)

Signature is computed by formula:

cookieSign = HMAC-SHA512(IP + UserAgent + SessionID, secret)

Signature is saved in separate HttpOnly cookie and verified on each request.

Attack protection

AttackProtection
Session HijackingStolen cookie doesn't work from different IP
Cookie TheftCookie useless without matching IP + User-Agent

Limitations

  • IP change (VPN, mobile network) requires re-authentication
  • Browser update may change User-Agent

Enabling

Feature is enabled by administrator in system settings. Disabled by default for compatibility with users with dynamic IP.

Client types

Passwork distinguishes four client types with different security mechanisms:

FeatureWebBrowser ExtensionMobileAPI
Token transmission modeBrowser ModeAPI ModeAPI ModeAPI Mode
Access TokenCookieHeaderHeaderHeader
CSRF Token✓ RequiredOptionalOptional
Cookie SignOptional
PIN code✓ Supported

Browser Extension — only client type supporting server-side PIN code. PIN is verified on server, which opens temporary window for API use. After timeout, session is locked until PIN re-entry. On multiple incorrect attempts, server immediately terminates session. This protects against token theft — even with token compromise, attacker cannot use API without knowing PIN.

HTTP headers

Authentication headers

HeaderDescriptionMode
AuthorizationAccess Token (Bearer {token})API Mode
CookieAccess Token (automatic)Browser Mode
X-CSRF-TokenCSRF protectionAll modes
X-Master-Key-HashMaster key hashWhen needed

Client-side token storage

Each client type implements secure token storage according to platform capabilities:

  • Web application — Access Token stored in HttpOnly Cookie, inaccessible to JavaScript (XSS protection)
  • Desktop and Mobile apps — tokens stored in OS secure storage with restricted access
  • Browser extension — isolated browser storage used, inaccessible from web pages

Multiple sessions

Parallel sessions

Passwork supports multiple simultaneous sessions:

  • User can be authenticated on multiple devices
  • Each device has its own token pair
  • Logout on one device doesn't affect others

Session management

User can:

  • View list of active sessions
  • Terminate specific session
  • Terminate all sessions (except current)

Administrator can:

  • Force terminate all user sessions

Configuration recommendations

High security

ParameterValue
Access Token30 minutes
Refresh Token4 hours
  • Frequent re-authentication
  • Short attack window
  • Suitable for critical systems

Security and convenience balance (default)

ParameterValue
Access Token~2.8 hours
Refresh Token36 hours
  • Workday without re-authentication
  • Refresh Token for ~1.5 workdays
  • Suitable for most organizations

Maximum convenience

ParameterValue
Access Token8 hours
Refresh Token7 days
  • Authentication once a week
  • Suitable for low-risk scenarios
  • Not recommended for critical data
LLM version
© 2014–2025 «Passwork»
Company
About usPrivacy policyISO 27001 certificateRelease notesRoadmapBlog
Browser extension
Google ChromeMozilla FirefoxMicrosoft EdgeApple Safari
Mobile application
App StoreGoogle Play
For business
TeamsSmall businessBusiness and corporatesEnterpriseOn-premise solutionPassword sharing toolSecret management
Help
User manualTechnical documentationHelp center