How device sessions work

Device sessions are a built-in mechanism that maintain continuous communication with Fraud Prevention services for telemetry and event collection. These sessions are created automatically by the Fraud Prevention SDK during initialization and are refreshed periodically according to internal security and communication rules. A device session token (session_token) uniquely identifies the device session to Mosaic.

The Fraud Prevention device sessions and device session tokens are independent of user logins, browser sessions, or application sessions. As a developer, you shouldn't be concerned with managing device sessions or synchronizing with user login or app sessions on your end. Because a device session represents the physical device rather than a specific user or browser session, multiple users using the same device may share the same device session.

Important

There is no need to manage or validate device sessions. These are managed and consumed entirely by the Fraud Prevention SDKs and Mosaic server.

How device sessions are utilized

A device session is created upon the SDK initialization and the SDK immediately starts sending telemetry data to Mosaic. The telemetry data is associated with a specific device session and identified using the device session token. The device session token can be requested by the app and returned by the Fraud Prevention SDK.

During the device session:

  • The SDK triggers user actions. Alternatively, you can report events via backend API calls.
  • Reporting the user ID for the login event builds an association between the user and their actions for the duration of the device session, which allows building a more reliable risk profile.
  • When the device session expires, the user is automatically cleared, or you can do this explicitly before expiration.
  • Device sessions are automatically refreshed by the SDK—there is no need for your app to manage token expiration or manually refresh it. To enable support for retrieving a device session token, set enableSessionToken: true when initializing the SDK.

For more information on maintaining user identity, see this guide.

Your appFraud Prevention SDKMosaicTrigger action events (via SDK or API)opt[Within the device session]Initialize SDKCreate device session (generate device session token)TelemetrygetSessionToken() (optional)Return session_tokenYour appFraud Prevention SDKMosaic

Obtain session token

Use the session token if you want to trigger action events (such as a login or transaction attempt) from the backend using API calls.

To enable retrieval of the session token, initialize the SDK with the option enableSessionToken: true (see initialization instructions here). Then, call the getSessionToken() SDK method to retrieve the current device session token as a string (session_token). For complete implementation details, see the Backend integration guide.

The session token is not needed when using the SDK to trigger events.

Request a device session token using the SDK call as described below:

JavaScriptKotlinSwift
Copy
Copied
  const sessionToken = await window.tsPlatform.drs.getSessionToken();
Copy
Copied
TSAccountProtection.getSessionToken(object : ISessionTokenCallback {
    override fun onSessionToken(sessionToken: String) {

    }
})
Copy
Copied
TSAccountProtection.getSessionToken { token in
    debugPrint("[DEBUG]: Fraud Prevention device session token: \(token)")
}
Note

Device sessions are automatically refreshed by the SDK—calling getSessionToken() always returns a valid token.

Recommendations and device sessions

Obtaining recommendations isn’t tied to a specific device session. Depending on your business flows, it can occur immediately after triggering action events (e.g., for real-time assessment of high-risk actions) or asynchronously (e.g., in monitoring mode with manual risk review procedures).