Skip to main content
Sessions maintain access to CDF resources for an extended period. They are used by background workloads such as Transformations, Functions, Data Workflows, and the PostgreSQL Gateway, where a short-lived access token is not sufficient.

Session creation methods

You can create a session using one of three methods:
  • Client credentials — uses a clientId and clientSecret from your IdP. Best for long-lived service account sessions where tokens can be refreshed independently.
  • Token exchange — reuses the current user’s credentials so the session runs with the user’s permissions. Use this for “run as current user” scenarios.
  • One-shot token exchange — creates a short-lived session that is not refreshed. Does not require IdP support for token exchange.

Nonces and binding

When you create a session, the API returns a nonce. The nonce is short-lived (approximately 1 minute) and must be passed to the consumer (for example, a Transformation or Function) that will bind the session. Binding exchanges the nonce for an access token and session key used for subsequent refreshes.
Nonces can only be used with root sessions. Chained sessions (for example, a Function calling another Function) are limited to one level of depth.

Session invalidation

Sessions depend on the project’s OIDC configuration and can become invalid in the following cases:
  • The project OIDC configuration is updated through the update project endpoint, which invalidates all sessions in the project.
  • The session is invalidated through the identity provider.
Session revocation is idempotent but can take up to 1 hour to take effect.

Key capabilities

  • Create sessions using client credentials, token exchange, or one-shot token exchange
  • List and retrieve sessions by ID
  • Revoke sessions to end access
Last modified on April 23, 2026