Session Security
Enterprise organizations can configure automatic session logout after a period of user inactivity. This helps meet compliance requirements for SOC 2, PCI DSS, FedRAMP, and HIPAA.
Inactivity Timeout
When enabled, users are automatically logged out after a configured period of inactivity. Activity is tracked via mouse movement, keyboard input, scrolling, and clicks.
Configuration
- Go to Settings > Organization
- Scroll to Session Security
- Select a timeout value from the dropdown
- Click Save
Available Options
| Setting | Use Case |
|---|---|
| Disabled | No automatic logout |
| 15 minutes | PCI DSS compliance, high-security environments |
| 30 minutes (default) | FedRAMP Moderate, general enterprise security |
| 1 hour | Balanced security and usability |
| 2 hours | Development teams with long coding sessions |
| 4 hours | Low-risk environments |
| 8 hours | Minimal security, full workday sessions |
How It Works
Server-side enforcement: Every API request checks user activity. If the inactivity threshold is exceeded, the request is rejected and the user is logged out. This cannot be bypassed.
Client-side warning: A warning modal appears 2 minutes before logout with a "Stay logged in" button.
Multi-tab support: Activity in any browser tab resets the timer across all tabs.
API keys exempt: API keys used for CLI tools and integrations are not affected by the inactivity timeout. They have their own expiration controls.
Compliance
This feature helps meet session management requirements for:
- SOC 2 (CC6.1) — Configurable timeout with audit trail
- PCI DSS (8.2.8) — 15-minute timeout option
- FedRAMP Moderate (NIST AC-12) — 30-minute timeout with warning
- HIPAA (164.312(a)(2)(iii)) — Risk-assessment driven, admin configurable
Audit Logging
All timeout configuration changes and inactivity logouts are recorded in your organization's audit log under Settings > Audit Logs.
Events logged:
- inactivity_timeout_updated — Admin changed the timeout value
- session_expired_inactivity — User was logged out due to inactivity
Rich Trace Data
When rich traces are enabled, Intentra captures tool call inputs and outputs for session inspection. This data receives additional security treatment:
- Automatic redaction: API keys, tokens, passwords, connection strings, and URIs are stripped before storage
- Size limits: Each content field is truncated to 10KB maximum
- Opt-in only: Requires both CLI flag (
INTENTRA_RICH_TRACES=true) and organization setting - Same retention: Rich trace data follows your organization's standard data retention policy
- Access control: Only organization members with session access can view trace content
- Admin control: Organization admins can disable rich traces at any time in Settings