Browser Behavior

When a user successfully signs in, Wink Identity issues a standard OAuth2 token set:

• Access Token— default validity: 5 minutes
• Refresh Token— default validity: 30 minutes

Managing Sessions

Managing user sessions is the responsibility of your application:

• When the access token expires, your app should treat the user as logged out and call the sign out method (as described in the Integration section).
• To extend the session beyond 5 minutes, your app must call the Refresh Token endpoint. Each refresh extends the validity of all tokens by 5 additional minutes, including the refresh token itself.

Logout Behavior

When the user clicks “Sign Out”:

• They are redirected back to the sign-in page.
• The Wink session is fully terminated. The next sign-in will always require biometric verification.

SSO Behavior (Single Sign-On)

Wink Identity supports local browser SSO:

• If App A and App B both use Wink Identity, and the user signs into App A in Tab 1, then opens App B in Tab 2, authentication is instant — MFA is skipped.
• SSO is browser-local.

A separate browser—even on the same device—requires a new sign-in.

Webview Behavior (inside Native Mobile Apps )

Wink Identity can run inside WebViews in mobile apps.

In WebView environments:

• There is no multi-tab or multi-browser state.
• Token lifetimes remain the same (5 min access token / 30 min refresh token).

If you need to use Wink Identity in native (iOS/Android) or inside embedded iFrames, contact your Wink representative