Maximum Session Duration - Whalemate Docs

Maximum Session Duration

Configure how long a user session can remain active before it is automatically closed. This setting is available to company administrators in the Security section.

What is it for?

Reducing the risk of unauthorized access when a user forgets to log out.
Meeting corporate or regulatory security requirements that mandate controlled session expiration.
Adapting the platform's behavior to the organization's security sensitivity level.
Giving administrators centralized control over the session policy for all company users.

How to use it?

Navigation: Settings → General → Security

Go to Settings from the side menu.
Select General and then the Security section.
Find the Maximum session duration option.
Click the selector and choose one of the available options:
- 30 minutes
- 1 hour
- 8 hours
- 24 hours
- 7 days
Click Save to apply the change.
The selected value remains visible after reloading the page.

This controls the total session duration within Whalemate, not inactivity timeout. When the limit is reached, the token expires and the user must re-authenticate.

The change applies to the entire organization. Active users with open sessions may be affected depending on the backend configuration.

Only company administrators have access to this setting.

❓ Frequently asked questions

What happens if I don't configure a session duration?
The platform uses the default value defined by Whalemate. We recommend reviewing and setting a value that aligns with your organization's security policy.

Can I revert to the previous value if I make a mistake?
Yes. You can change the value as many times as needed using the same selector and save again.
Does this setting also apply to SSO logins?
Yes. The configured time controls the session within Whalemate for both native login users and those accessing via SSO — including administrators and end users in the Academy. When the limit is reached, the Whalemate token expires and the user must re-authenticate. If the session at the identity provider (Google, Microsoft, etc.) is still active, re-entry may be immediate and without prompting for credentials — that is decided by the provider, not Whalemate. If the organization requires credentials to be requested upon re-entry, they must also adjust the session duration in their own SSO configuration.

Have feedback or want to request improvements? Let us know at roadmap.whalemate.com/roadmap