---
title: Configure client-side sessions
description: Advanced Identity Cloud uses two types of tokens that represent an exchange of information, usually interactive, between Advanced Identity Cloud and a user or entity:
component: pingoneaic
page_id: pingoneaic:am-sessions:configure-client-side-sessions
canonical_url: https://docs.pingidentity.com/pingoneaic/am-sessions/configure-client-side-sessions.html
keywords: ["Sessions", "Authentication", "CTS Store (Sessions &amp; Tokens)", "Setup &amp; Configuration", "Storage"]
page_aliases: ["sessions-guide:configure-client-side-sessions.adoc"]
section_ids:
  proc-configure-client-based-auth-sessions: Client-side journey sessions
  proc-configure-client-based-sessions: Client-side authenticated sessions
  verify_client_side_authenticated_sessions: Verify client-side authenticated sessions
---

# Configure client-side sessions

Advanced Identity Cloud uses two types of tokens that represent an exchange of information, usually interactive, between Advanced Identity Cloud and a user or entity:

* *Journey sessions*, which Advanced Identity Cloud creates to track progress through a journey. These sessions last for the duration of the journey.

* *Authenticated sessions*, which Advanced Identity Cloud creates after a user has authenticated successfully to manage the user's or entity's access to resources.

You can configure Advanced Identity Cloud to use [client-side](client-side-sessions.html) or [server-side](server-side-sessions.html) journey and authenticated sessions.

This page covers how to configure Advanced Identity Cloud to use client-side journey and authenticated sessions.

## Client-side journey sessions

1. Under Native Consoles > Access Management, go to Realms > *Realm Name* > Authentication > Settings.

2. Switch to the Trees tab.

3. From the Authentication session state management scheme drop-down list, select `JWT`.

4. In the Max duration (minutes) field, adjust the maximum life of the journey session in minutes.

   You can also set the maximum duration in a journey or at the node level. Learn more in [Maximum duration](../am-authentication/suspended-auth.html#maximum-duration).

5. Save your changes.

When Advanced Identity Cloud creates tenant environments, it generates signing secrets: unique, secure, random values for signing journey sessions.

To override the generated signing secret:

1. On the Authentication - Settings page, switch to the Security tab.

2. In the Organization Authentication Signing Secret field, enter a base64-encoded HMAC secret at least 128 bits long.

   |   |                                                                                                                                                                                                                                      |
   | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
   |   | If you choose to override the generated signing secret, specify different values in your development, staging, and production tenant environments, so development sessions aren't valid in your production environment, for example. |

3. Save your changes.

## Client-side authenticated sessions

1. Under Native Consoles > Access Management, go to Realms > *Realm Name* > Authentication > Settings.

2. Switch to the General tab.

3. Select Use Client-Side Sessions.

4. Save your changes.

## Verify client-side authenticated sessions

The service doesn't track client-side authenticated sessions:

1. Authenticate to the realm configured for client-side authenticated sessions as a non-administrative user:

   ```bash
   $ curl \
   --request POST \
   --header 'Content-Type: application/json' \
   --header 'X-OpenAM-Username: <non-admin-username>' \
   --header 'X-OpenAM-Password: <non-admin-password>' \
   --header 'Accept-API-Version: resource=2.0, protocol=1.0' \
   'https://<tenant-env-fqdn>/am/json/realms/root/realms/alpha/authenticate'
   {
       "tokenId":"<token-id>",
       "successUrl": "/enduser/?realm=/alpha",
       "realm":"/alpha"
   }
   ```

2. Under Native Consoles > Access Management, go to Realms > *Realm Name* > Identities > *Username* to find the user identifier at the top of the profile page; for example:

   ![The profile page shows the user identifier.](_images/get-user-id.png)

3. Go to Realms > *Realm Name* > Sessions.

   With the user identifier, [search for the session](manage-sessions-ui.html). You should find no authenticated sessions for the non-administrative user:

   ![The service does not track client-side sessions.](_images/no-server-side-session.png)