Hey @alexworden,

The forced reauthentication every 10 minutes is happening on the Railway dashboard (railway.app) itself not in your deployed webapp. No changes to your code, stack (Express/NextAuth/JWT/etc.), or settings would trigger this; it's a platform-side session behavior.

Technical breakdown:

• Railway authenticates via GitHub OAuth, issuing tokens and managing sessions with secure cookies (HttpOnly + SameSite).

• The dashboard (React app) likely uses a client-side idle tracker or periodic heartbeat to validate session state against backend API endpoints (e.g., /api/v2/ calls).

• After 10-15 minutes of tab inactivity (no mouse/keyboard events or UI-driven API requests), the server marks the session as idle and expires it for security preventing risks like session hijacking on shared/unattended devices.

• On next interaction, the frontend hits a 401/unauthorized response and redirects to the OAuth reauth flow.

• This matches a probable security update around late Oct/early Nov 2025 (aligning with your 5-week timeline), though no explicit announcement in changelogs. Similar short idle timeouts are standard in cloud platforms (e.g., Vercel, AWS Console) for compliance/best practices.

No logs in your app will capture this, as it doesn't reach your service.

Workarounds (no user-configurable timeout exists):

1. Stay active - Clicking around, scrolling logs, or refreshing resets the idle timer.

2. Keep tab alive - Occasional manual activity, or lightweight browser extensions (e.g., auto-refresher or mouse jiggler) to simulate input nothing heavy that could flag ToS.

3. Use Railway CLI heavily - Token-based auth with no idle timeouts:
   
   railway login # One-time, persists long-term

   railway up / logs --follow / variables / etc.
   
   Ideal for monitoring, deploys, and vars without dashboard babysitting.

4. Multiple/new tabs - Timeout appears per-session; fresh tab starts a new timer.

If it's really hurting your workflow, pile on here or search/start a feedback thread on Central Station Railway team is responsive to community UX pain points.

If this is somehow hitting your deployed app's user sessions instead (unlikely based on description), drop your stack details or a sample log line showing logout happy to troubleshoot that angle!