Velaxe
AccessGuard — IAM with JWT, MFA, RBAC & SSO (SAML/OIDC) | Velaxe

AccessGuard

Set token rotation & session hygiene

Short-lived access tokens, refresh rotation, and forced logout.

16 min Intermediate Security Engineer, Backend Engineer Updated Sep 19, 2025
View App All Guides

Overview

Short-lived access tokens, refresh rotation, and forced logout.

Prerequisites

None.

Permissions required

iam:configure sessions:read

Downloads & Templates

Sample token policy JSON

Spec

Steps (4)

Estimated: 16 min
  1. 1

    Set TTLs

    Security 3 min Back to top

    Settings → Security → Tokens. Set access_token = 15m; refresh_token = 30d (example).

    Tips

    Validation

    Success criteria

  2. 2

    Enable rotation

    Security 4 min Back to top

    Enable refresh rotation and revoke on reuse; set idle/max session windows.

    Tips

    Validation

    Success criteria

  3. 3

    Instrument introspection

    Backend 5 min Back to top

    Use /auth/introspect from your gateway to validate tokens on critical APIs.

    Tips

    Validation

    Success criteria

    • Stale tokens rejected; reuse triggers revocation.
  4. 4

    Force logout playbook

    Security 4 min Back to top

    From Sessions, revoke all for a user or by IP/UA pattern following an incident.

    Tips

    Validation

    Success criteria

About this guide

AccessGuard secures apps and external sites with hosted authentication and short-lived JWTs. Enable MFA, define RBAC permissions, and connect enterprise identity via SAML or OIDC. A lightweight HMAC bridge lets you embed login, registration, and token refresh flows on any domain without CORS pain.

Admins manage users, sessions, connections, and policies from one console. Profiles consolidate verified emails/phones, consents, KYC docs, and risk flags. Events and metrics provide visibility for security and ops.

Designed for velocity and safety: opinionated defaults, least-privilege keys, Prometheus counters, and exportable audit logs.