Session cache lifecycle

Role

Sessions (JWT / Durable Object session state, refresh handling) are not the same as domain caches, but lifecycle matters for:

Who is the current user when computing permissions and canViewProfile on maintenance APIs.
Revocation and logout — next request must not see stale session-derived permissions.

Read path

Session resolution runs per request (middleware / ensureCurrentUser).
Cached session blobs (if any) must respect TTL and invalidation on:
- Password change
- Logout / revoke
- Role or permission changes (if session embeds them; otherwise force refresh from DB)

Relationship to maintenance

Maintenance permissions and relatedUsers[].canViewProfile depend on viewer identity resolved from session. Session correctness precedes cache correctness for authorization.

../../institutional-readiness/token-lifecycle-and-revocation.md
../maintenance/permissions-matrix.md

Session cache lifecycle ​

Role ​

Read path ​

Relationship to maintenance ​

Related documentation ​

Session cache lifecycle

Role

Read path

Relationship to maintenance

Related documentation