Password & Security

Thallus uses a layered security model with short-lived access tokens, rotating refresh tokens, and rate-limited authentication endpoints. This page covers password management, session lifecycle, and the protections in place against common attack patterns.

Changing your password

You can change your password from the General tab in Settings. The form requires your current password for verification, then validates and sets the new one.

Change Password

Current password

••••••••••••

New password

••••••••••••••••

Confirm new password

••••••••••••••••

Change Password

When you change your password, all existing refresh tokens are revoked — this logs out every other session (other browsers, devices, etc.). Your current session receives a new token pair automatically.

Password requirements

New passwords must satisfy all of the following:

Requirement	Details
Minimum length	12 characters
Maximum length	128 characters
Uppercase letter	At least one A–Z
Lowercase letter	At least one a–z
Digit	At least one 0–9
Special character	At least one non-alphanumeric character

Passwords are securely hashed before storage — Thallus never stores plaintext passwords.

Session management

Authentication uses a two-token system: a short-lived access token for API requests and a longer-lived refresh token for obtaining new access tokens.

→

Access token issued

→

Token expires

→

Refresh token used

→

New token pair

Property	Access Token	Refresh Token
Delivery	`Authorization: Bearer <token>` header	HttpOnly cookie
Lifetime	Short-lived (minutes)	Long-lived (days)
Storage	In-memory	Browser cookie (not accessible to JS)
Algorithm	JWT	Opaque token, hashed at rest
Refresh	Auto-refreshed before expiry	Rotated on each use

The frontend automatically refreshes access tokens before they expire — you won't notice token rotation during normal use.

Refresh token rotation

Each refresh token belongs to a token family. When a refresh token is used, it's consumed and a new refresh token from the same family is issued alongside the new access token. This is called token rotation.

If a previously consumed refresh token is reused (which indicates the token was stolen and both the attacker and legitimate user are attempting to use it), the entire token family is revoked. This means:

The attacker's stolen token stops working
The legitimate user is logged out and must re-authenticate
All other tokens in the compromised family are invalidated

This approach limits the damage window of a stolen refresh token to a single use.

Session security states

Sessions can be in one of four states:

Active session

Valid tokens

Token expiring soon

Auto-refreshing

Session revoked

Re-login required

Expired

Inactive timeout

A session enters the "revoked" state when you change your password, when an admin revokes your sessions, or when refresh token reuse is detected (compromised family).

Inactivity timeout

Thallus can automatically end your session after a period of inactivity. When enabled, if no mouse movement, keyboard input, clicks, or scrolling is detected for the configured duration, you are logged out and redirected to the login page.

You can configure your own timeout from the Session Timeout section on the General tab in Settings:

Session Timeout

✓

Enable inactivity timeout

Timeout (minutes)

Save Timeout Settings

The timeout value can be set between 5 and 1440 minutes (24 hours). The actual logout may occur shortly after the timeout window due to periodic checking.

Enforced timeouts

Your organization or the platform administrator may enforce a maximum inactivity timeout. When this happens:

The "Enable inactivity timeout" checkbox appears checked and disabled
A message shows the enforced ceiling (e.g., "Platform policy requires a timeout of at most 15 minutes")
You can still set a shorter timeout than the enforced ceiling, but you cannot disable the timeout or exceed it

Enforcement uses a ceiling model: Platform → Organization → User. Each level sets an upper limit that lower levels cannot exceed. See Session timeout policy for how admins configure these ceilings.

What happens on timeout

When your session times out, two things happen simultaneously:

Client-side: The browser detects inactivity and redirects to the login page with a "Session timed out due to inactivity" message
Server-side: The next token refresh is rejected, ensuring the session cannot be resumed even if the browser check is bypassed

Brute force protection

Authentication endpoints are protected by rate limiting. If too many authentication requests are made from the same source, further attempts are temporarily blocked.

Rate limits apply to login, password change, and other authentication operations. The limits reset each minute. This prevents automated password guessing while still allowing normal use. See Rate Limiting for details.

SSO accounts

If you authenticate through an SSO provider (Okta, Azure AD, Google Workspace, Auth0), your password is managed by your identity provider. The password change section is not shown on the Settings page for SSO-only accounts.

Session security still applies to SSO accounts — access tokens and refresh tokens work the same way regardless of how you initially authenticated.

Profile & Appearance — display name, timezone, and theme settings
API Keys — programmatic authentication as an alternative to JWT sessions
User Management — admin-level session timeout policy and user management
Account Deletion — permanently delete your account and data