Skip to content

Session Setup

A session is an authenticated connection between your client app and the Vonage API. Your backend issues a JWT, and the Client SDK uses that JWT in createSession().

Session model

  • Vonage API controls session lifecycle.
  • The Client SDK does not mint JWTs and does not manage token issuance.
  • Your backend remains the source of truth for identity and access policy.

Authentication flow

Backend JWT minting

INFO

The example below illustrates the required JWT structure. Your actual implementation will vary based on your backend language and framework.

JWTs must be generated on your server. The exact implementation is app-specific.

const privateKeyPem =
  '-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----';

const payload: GuideJwtPayload = {
  application_id: applicationId,
  sub: userName,
  acl: {
    paths: {
      '/*/users/**': {},
      '/*/conversations/**': {},
      '/*/sessions/**': {},
      '/*/devices/**': {},
      '/*/image/**': {},
      '/*/media/**': {},
      '/*/applications/**': {}
    }
  },
  exp: Math.floor(Date.now() / 1000) + 60 * 60
};

const jwt = signJwt(payload, privateKeyPem);
console.log(jwt);

Create a session

 val client = VoiceClient(ctx)

 val config = VGClientConfig(VGConfigRegion.EU)
 client.setConfig(config)

 client.createSession(jwt) { error, sessionId ->
     if (error != null) {
         println("Failed to create session: $error")
         return@createSession
     }

     println("Session created: $sessionId")
 }

Session lifetime

A session lives for as long as the JWT used in createSession() is valid. The session lifetime is set by the JWT's exp claim — your backend controls how long that is (minimum 30 seconds, maximum 24 hours, default 15 minutes if not set explicitly). The SDK does not impose any session TTL of its own.

To extend a session before its JWT expires, call refreshSession(jwt) with a fresh JWT. Many customers issue short-lived (15-minute) JWTs and refresh every ~10 minutes from their backend.

Reconnecting after a transient disconnect

If the WebSocket disconnects for any reason (network loss, app suspended, tab closed), the backend marks the session as disconnected but keeps it alive for approximately 15 minutes so the client can reattach. During that window:

In both cases, the backend replays any events that arrived while you were disconnected (incoming call invites, etc.), so a customer can still answer a call that came in during the reconnection window.

After ~15 minutes without a reconnect, the session is deleted and you must call createSession(jwt) with a fresh JWT to start a new one.

See Vonage Client SDK Sessions for more details on session lifecycle.

WARNING

Session TTL (15 minutes) and JWT expiry (exp claim) are independent. A JWT can be valid for longer than 15 minutes, but the session still expires after 15 minutes unless refreshed. Always refresh or recreate the session before the TTL elapses.

Handling errors

createSession can fail for several reasons. Always handle the error callback:

kotlin
client.createSession(token) { error, sessionId ->
    if (error != null) {
        when {
            error.message?.contains("token") == true ->
                // Invalid or expired JWT — request a new one from your backend
                println("Token error: $error")
            error.message?.contains("already active") == true ->
                // Session already exists — call deleteSession first if you need a fresh session
                println("Session already active")
            else ->
                println("Session creation failed: $error")
        }
    } else {
        println("Session created: $sessionId")
    }
}

For a full list of possible error types, see Errors.

Built with VitePress.