Rela AIRela AI Docs
Security

Session Inactivity Timeout

Authenticated sessions in conversations automatically expire after a period of inactivity and have an absolute 24-hour limit. This prevents a session from remaining open indefinitely.

Session Inactivity Timeout

When an employee authenticates with the agent to check their pay stub and then leaves their phone unused for 3 hours, the session should expire — not remain open waiting for anyone to pick up the conversation. Inactivity timeout protects authenticated sessions by closing them automatically when the user stops interacting.

What is it for?

Sessions that do not expire are a security risk. If someone leaves their phone unlocked, or if a WhatsApp conversation stays open on a shared device, anyone could continue the conversation with the agent and access the authenticated user's information. Inactivity timeout minimizes this risk window.

How does it work?

There are two independent expiration mechanisms that run in parallel:

Mechanism 1 — Inactivity expiration: Works like a timer that resets with each user message. If the user does not send any message during the configured time (default 30 minutes), the session expires. Every time the user interacts, the timer resets to zero.

Mechanism 2 — Absolute 24-hour limit: Regardless of how much activity there is, no session can last more than 24 hours from the moment of authentication. This limit is not configurable and serves to prevent perpetual sessions — even if the user was active all day, at 24 hours they must authenticate again.

When either mechanism triggers expiration:

  • The session is closed
  • The conversation history is reset
  • The user must authenticate again to access protected information

How to use it?

Configure the inactivity timeout

The inactivity timeout is configured in the agent's authentication tool:

  1. Go to the agent's authentication tool (Authenticate conversation).
  2. Find the Inactivity timeout field (in minutes).
  3. Set the value according to the required security level.
Inactivity timeoutRecommended use case
10 to 15 minutesVery sensitive information — financial, medical, or payroll data
30 minutes (default)General use — balance between security and convenience
60 to 90 minutesLonger field work sessions where the technician cannot send messages constantly
Up to 24 hoursLow-sensitivity queries where extended inactivity is normal

What the user experiences when the session expires

If the user tries to continue a conversation after the session expired, the agent asks them to authenticate again:

"Your session has expired due to inactivity. To continue, please identify yourself again. What is your employee number?"

The previous conversation history is not lost in the system — it remains available in the conversation history for supervision — but the authentication context is reset.

Difference between conversation session and platform session

It is important to distinguish two types of sessions:

TypeWhat it isWhere it applies
Conversation sessionThe authentication within the chat with the agentWhatsApp and email — the mechanism described in this section
Platform sessionThe login to the Rela AI web dashboardConfigured in the Security section of the dashboard

This section describes exclusively conversation sessions — the authentication the agent requests within a WhatsApp or email chat.

Key benefits

  • Inactive sessions expire automatically without the user needing to sign out
  • The 24-hour limit guarantees there are no perpetual sessions even if the user stays active
  • The inactivity timeout is configurable to match the sensitivity level of each agent
  • The user receives a clear message when their session expires — they know they need to authenticate again
  • Protection against unauthorized access on shared or unattended devices

Common use cases

Scenario 1: HR agent with a short session The payroll agent has an inactivity timeout of 15 minutes. An employee queries their pay stub, gets the information, and leaves their phone on their desk. 15 minutes later, if someone picks up the phone and tries to continue the conversation, the agent asks for authentication again. The original employee's information is not exposed.

Scenario 2: Field technician with a long session The shift technician authenticates with the agent to query equipment specifications during their 4-hour inspection round. The inactivity timeout is set to 90 minutes — enough to go from one piece of equipment to another without having to authenticate each time. The absolute 24-hour limit guarantees that if the technician forgets to "close the session" at the end of their shift, the next person who uses the chat (on the next shift) will have to authenticate again.

Scenario 3: Session on a shared device In a plant area there is a shared tablet with access to the inventory agent. A technician authenticates, queries spare parts stock, and leaves without "logging out" because there is no such concept in WhatsApp. With a 30-minute inactivity timeout, when the next technician picks up the tablet half an hour later and sends a message, the agent asks them to identify themselves. Each technician only sees their own session and their own data.

OTP Code Verification

OTP verification adds a second security layer to the authentication process. After identifying themselves, the user receives a 6-digit code on their phone or email that they must enter to complete access.

Data Protection

Encryption, security policies and sensitive data management

On this page

Session Inactivity TimeoutWhat is it for?How does it work?How to use it?Configure the inactivity timeoutWhat the user experiences when the session expiresDifference between conversation session and platform sessionKey benefitsCommon use cases