Extend session duration for mobile
Context
Users who book trips months in advance (booking a June trip in January) should remain logged in without re-authentication. Mobile devices are personal devices with a different threat model than shared web browsers — lower risk of unauthorized access, and re-authentication during trip planning is particularly disruptive.
Decision
365-day token duration with device binding.
- 365-day token expiration with sliding window refresh during active usage
- Device binding ties tokens to the originating device via UUID stored in iOS Keychain (survives reinstalls)
- Every authenticated request includes
X-Device-IDheader; backend validates it matches the token claim - Weekly key rotation with 365-day deprecation grace period ensures tokens never outlive their keys
Timeline example:
- Day 0: Key A active, token issued with device_id claim
- Day 7: Key B active, Key A deprecated
- Day 365: Token expires (user must re-authenticate)
- Day 372: Key A revoked and cleaned up
Consequences
Users remain authenticated through the entire planning-to-travel lifecycle. Device binding prevents stolen tokens from being useful on other devices without requiring revocation infrastructure.
Longer exposure window if a device is compromised, but mobile devices are personal and users can sign out to invalidate. Future option: user-level revocation via database flags if needed.