How it works
Support creates a session
A support staff member creates an impersonation session specifying your
tenant, the required permission scopes, and a reason for access.
Session is time-limited
Every session has an automatic expiration time. When the session expires,
access is revoked immediately — no manual action required.
Actions are recorded
Every action the support staff member takes during the session is logged as
an audit event tied to the session ID. You can review these events in your
audit log.
Session properties
| Property | Description |
|---|---|
| Scopes | The specific permissions granted for the session (e.g., read-only access to attestations, or access to billing settings). |
| Reason | A human-readable explanation of why the session was created. |
| Status | ACTIVE (in use), EXPIRED (time limit reached), or REVOKED (manually ended). |
| Issued at | When the session was created. |
| Expires at | When the session automatically expires. |
Session lifecycle
- Active — the session is in use and the support staff member has access to the granted scopes.
- Expired — the time limit has been reached and access is automatically revoked.
- Revoked — a platform administrator ended the session early.
Reviewing support activity
All support session activity appears in your tenant’s audit log. Filter by thesupport_session event category to see exactly what was accessed and when.
Security guarantees
Scoped access
Sessions are restricted to specific permission scopes. Support cannot
access resources outside the granted scopes.
Time-limited
Every session expires automatically. There are no permanent support
access grants.
Full audit trail
Every action is recorded in your tenant’s audit log with the session ID
and staff identity.
Revocable
Active sessions can be revoked at any time by a platform administrator.
Related
Audit logs
View and export your tenant’s audit events.
RBAC
Understand roles and permission scopes.