Browser Behavior

When a user successfully signs in, Wink Identity issues a standard OAuth2 token set:

• Access Token— default validity: 5 minutes
• Refresh Token— default validity: 30 minutes

Managing Sessions

Managing user sessions is the responsibility of your application:

• When the access token expires, your app should treat the user as logged out and call the sign out method (as described in the Integration section).
• To extend the session beyond 5 minutes, your app must call the Refresh Token endpoint. Each refresh extends the validity of all tokens by 5 additional minutes, including the refresh token itself.

Logout Behavior

When the user clicks “Sign Out”:

• They are redirected back to the sign-in page.
• However, if their access token is still valid, signing back in immediately will bypass biometric authentication. (This is expected behavior, since the session is still active until token expiry.)

SSO Behavior (Single Sign-On)

Wink Identity supports local browser SSO:

• If App A and App B both use Wink Identity, and the user signs into App A in Tab 1, then opens App B in Tab 2, authentication is instant — MFA is skipped.
• SSO is browser-local.

A separate browser—even on the same device—requires a new sign-in.

Webview Behavior (inside Native Mobile Apps )

Wink Identity can run inside WebViews in mobile apps.

In WebView environments:

• There is no multi-tab or multi-browser state.
• Token lifetimes remain the same (5 min access token / 30 min refresh token).

If you need to use Wink Identity in native (iOS/Android) or inside embedded iFrames, contact your Wink representative