fix: add multi-org session cookie behavior and permissions token (gap report)#712
Merged
tamalchowdhury merged 4 commits intomainfrom Apr 14, 2026
Merged
Conversation
… (gap report) Made-with: Cursor
Contributor
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Repository UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
WalkthroughUpdated documentation pages for authentication, session management, and access tokens: metadata dates advanced; new FAQs describe cross-tab refresh token behavior when switching organizations, how permissions appear in access tokens, and options to remove claims. No code or public API changes. Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Deploying kinde-docs-preview with
|
| Latest commit: |
de9d468
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://04737f3f.kinde-docs-preview.pages.dev |
| Branch Preview URL: | https://tamal-update-multi-org-sessi.kinde-docs-preview.pages.dev |
Contributor
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
src/content/docs/authenticate/manage-authentication/navigate-between-organizations.mdx (1)
120-124: Keep this as a brief callout and defer detailed behavior to the canonical page.Lines 120-123 duplicate behavior details that already exist in
src/content/docs/authenticate/manage-authentication/session-management.mdx(Lines 50-54). Trimming this section reduces drift risk.Proposed simplification
## Does the refresh token cookie affect other browser tabs when switching orgs? -Yes. The refresh token cookie is shared across all browser tabs on the same domain. When a user switches to a different organization, the shared cookie is updated with the new org's refresh token. Other open tabs will pick up the new organization context on their next token refresh. +Yes. Because the refresh token cookie is shared across tabs on the same domain, switching orgs in one tab can affect others after their next refresh. For more on how this works and available workarounds, see [Session management](/authenticate/manage-authentication/session-management/#does-switching-organizations-affect-other-browser-tabs).Based on learnings: In MDX documentation files, prefer “document once, reference anywhere” to avoid duplicated behavior descriptions.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@src/content/docs/authenticate/manage-authentication/navigate-between-organizations.mdx` around lines 120 - 124, Remove the duplicated explanatory paragraph under the heading "Does the refresh token cookie affect other browser tabs when switching orgs?" and replace it with a short one-line callout that points readers to the canonical "Session management" page (the content in session-management.mdx) for full behavior details; ensure the new callout briefly states that the refresh token is shared across tabs and links to /authenticate/manage-authentication/session-management/#does-switching-organizations-affect-other-browser-tabs so the detailed behavior remains in one place.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@src/content/docs/build/tokens/about-access-tokens.mdx`:
- Around line 42-77: The JSON token example is malformed: close the unterminated
strings for the "aud" entry value, each entry in the "permissions" array (e.g.,
"view:profile"), and the "scp" array value ("offline"), ensure proper commas
between array items/fields, and remove the JavaScript comment after "sub"
(replace it with a string value only); update the "aud", "permissions", "scp",
and "sub" entries so the entire code block is valid JSON.
---
Nitpick comments:
In
`@src/content/docs/authenticate/manage-authentication/navigate-between-organizations.mdx`:
- Around line 120-124: Remove the duplicated explanatory paragraph under the
heading "Does the refresh token cookie affect other browser tabs when switching
orgs?" and replace it with a short one-line callout that points readers to the
canonical "Session management" page (the content in session-management.mdx) for
full behavior details; ensure the new callout briefly states that the refresh
token is shared across tabs and links to
/authenticate/manage-authentication/session-management/#does-switching-organizations-affect-other-browser-tabs
so the detailed behavior remains in one place.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro
Run ID: 6150f4c8-752d-4f21-80a3-edfbd740006c
📒 Files selected for processing (4)
src/content/docs/authenticate/manage-authentication/navigate-between-organizations.mdxsrc/content/docs/authenticate/manage-authentication/session-management.mdxsrc/content/docs/build/tokens/about-access-tokens.mdxsrc/content/docs/manage-users/roles-and-permissions/user-permissions.mdx
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Explains two areas of existing Kinde behavior that users are hitting unexpectedly, surfaced in the March 2026 gap report.
session-management.mdx — new section explaining that the refresh_token cookie is shared across all tabs; switching orgs in one tab affects others on their next refresh, with a workaround for app-layer isolation
navigate-between-organizations.mdx — short callout + cross-link to session management
Permissions in access tokens (Gap 8)
about-access-tokens.mdx — new ## Can I remove claims to reduce token size? section covering how to strip permissions, feature_flags, and other claims via the user token generation workflow
user-permissions.mdx — cross-link to access tokens and the workflow
Summary by CodeRabbit