Session Management

Every time the SDK is loaded, it is initiated with a token. Hubble uses this token to authenticate the user via your SSO endpoint and creates a new session.

How Sessions Work

When a user opens the SDK with a valid SSO token, Hubble authenticates the token against your backend and creates a session. This session is tied to the user's identity and persists across page loads within the SDK.

Session Duration

By default, an SDK session is valid for 24 hours. After this period, the user will need to re-authenticate with a fresh SSO token. If you need a different session duration, contact the Hubble team to customize this setting.

One Session Per User

A user can have only one active session at a time. If a user opens the SDK on a second device (Device B), the session on the first device (Device A) is automatically invalidated. The next time the user interacts with the SDK on Device A, they will be logged out and need to re-authenticate.

When to Invalidate Sessions

You should call the session invalidation API in the following scenarios:

User logout — When a user logs out of your app, invalidate their Hubble session to prevent access to their data.
Account switching — If your app supports multiple accounts and the user switches accounts, invalidate the previous user's session.
Security events — If you detect suspicious activity (password change, device change, etc.), invalidate the session as a precaution.

Invalidating Sessions from Your Backend

POSThttps://api.myhubble.money/v1/auth/partner/logout-user

Property	Value
Method	POST
URL	`https://api.myhubble.money/v1/auth/partner/logout-user`
Header	`X-PARTNER-SECRET` (secret key shared by Hubble)
Content-Type	`application/json`

Request Body:

{
  "userId": "user-12345"
}

Response (200 OK):

{
  "success": true
}

Best Practice: Destroy the WebView on Logout

In addition to calling the session invalidation API, destroy the WebView or iframe when the user logs out. This ensures no cached content from the previous session is visible. When the new user opens the SDK, create a fresh WebView with a new SSO token.

Example: Node.js

const axios = require('axios');

async function invalidateHubbleSession(userId) {
  try {
    const response = await axios.post(
      'https://api.myhubble.money/v1/auth/partner/logout-user',
      { userId },
      {
        headers: {
          'X-PARTNER-SECRET': process.env.HUBBLE_PARTNER_SECRET,
          'Content-Type': 'application/json',
        },
      }
    );
    console.log('Session invalidated:', response.data);
  } catch (error) {
    console.error('Failed to invalidate session:', error.message);
  }
}

// Call when user logs out
invalidateHubbleSession('user-12345');

Example: Python

import requests

def invalidate_hubble_session(user_id: str):
    response = requests.post(
        'https://api.myhubble.money/v1/auth/partner/logout-user',
        json={'userId': user_id},
        headers={
            'X-PARTNER-SECRET': HUBBLE_PARTNER_SECRET,
            'Content-Type': 'application/json',
        },
    )
    response.raise_for_status()
    return response.json()

# Call when user logs out
invalidate_hubble_session('user-12345')

How Sessions Work​

Session Duration​

One Session Per User​

When to Invalidate Sessions​

Invalidating Sessions from Your Backend​

Example: Node.js​

Example: Python​