Fresh Session
Fresh-session verification lets recently signed-in users clear low and medium-risk step-up checks without re-entering a credential.
A fresh session is the lightest of the three sensitive-action verification methods. If the user signed in recently enough, low and medium-risk actions clear without asking for anything extra.
How it works
Freshness is measured by the session creation time, not by activity. When
requireSensitiveAction runs for a level-1 or level-2 action, it compares the
current session's age against the fresh-session window in POLICY_BY_LEVEL
(packages/backend/convex/security/sensitiveActions.ts). Within the window the
action proceeds; outside it, the user is asked for a
password or
email code instead.
When it applies
- Level 1 — a fresh session is sufficient on its own.
- Level 2 — a fresh session, password, or email code all satisfy the check.
- Level 3 and 4 — fresh session is never accepted; these always require an explicit password or email verification.
This keeps everyday friction low while ensuring the most destructive actions always demand a deliberate, current proof of identity.
Tuning
The fresh-session window lives in POLICY_BY_LEVEL. Shorten it to demand more
frequent re-verification, or lengthen it to reduce friction. Helper logic is in
security/freshSession.ts and security/sessionScope.ts.
Sensitive Action Protection
Step-up verification for dangerous actions after login, enforced server-side in Convex and built on Better Auth. Works for every account type, including OAuth and magic-link users.
Password Confirmation
Password confirmation re-verifies a user's current password through Better Auth to clear a sensitive-action step-up — no new login and no password change.