You Didn't Touch Your Banking App for Three Days
You open it. Password prompt, blank screen, the quiet indignity of being treated like a stranger on your own phone. Then you open Instagram, same three-day gap, and it drops you straight into your feed without so much as a raised eyebrow. Same device. Same absence. Completely different outcome.
This isn't a glitch. It's a deliberate engineering decision, and once you understand the logic, session timeouts start reading like an X-ray into how much an app trusts its own users.
The short answer: apps expire your login based on what you were doing, how sensitive that action was, and how long you've been idle. The longer answer involves tokens, risk signals, and one concept most people have never encountered.
Tokens Are the Actual Thing That Expires
When you log into an app, you don't maintain some continuous live connection to a server. The server hands you a small encrypted credential called an access token. Think of it as a wristband at a music festival: proof you paid to get in, checkable by staff without a call to the box office every time.
Access tokens have a built-in expiry, often somewhere between fifteen minutes and a few hours. When one expires, the app quietly uses a second credential, a refresh token, to fetch a new access token in the background. You never see this. The refresh token lasts much longer, sometimes weeks or months, and its expiry is what you actually notice when you get logged out.
So the real question is when does the app decide to invalidate or refuse to renew the refresh token.
That decision depends heavily on what you were doing.
Risk-Tiered Sessions: The Mechanic That Changes Everything
Modern authentication systems don't treat all activity as equal. They tier it by risk.
Consider two people using the same mobile banking app. Maya checks her balance most mornings, nothing more. Priya uses the same app but transfers money between accounts a few times a week and occasionally adds new payees. Both have refresh tokens. Priya's session is almost certainly shorter, or at least subject to more frequent re-authentication challenges, because the actions she performs sit in a higher-risk tier.
This is called adaptive authentication. The session doesn't just track time; it tracks what you did last and assigns a sensitivity score to it. A read-only action like checking a balance produces a low-sensitivity signal. A write action like sending money, changing a password, or approving a new device spikes the score. Some systems demand re-authentication immediately after a high-sensitivity action, even if you logged in two minutes ago.
Google's OAuth 2.0 implementation, used across millions of third-party apps, supports exactly this through token scopes and offline access. Apps requesting only basic profile information get generous refresh windows. Apps requesting access to Gmail or Drive face stricter refresh policies by design. The stakes determine the leash length. That's not arbitrary. That's correct.
The Idle Clock Is Not the Only Clock Running
Here's what trips most people up. They assume session expiry is purely about idle time: don't use the app for X hours, get logged out. That's one factor. There are at least three others running at the same time.
First, absolute session lifetime. Some security policies cap how long any session can last regardless of activity. A session alive for thirty days might get terminated even if you've been in the app every single day. Common in enterprise software and healthcare apps governed by compliance frameworks like HIPAA.
Second, device trust score. Log into an app on a familiar device after completing a verification step and that device accumulates trust. A trusted device gets a longer leash. Log into the same account from a new phone and the session will be shorter until that device builds its own history.
Third, network and location signals. Logging in from your home Wi-Fi on a Tuesday afternoon is a low-risk signal. Logging in from an airport network in a country you've never visited is a high-risk signal. Apps using adaptive authentication will shorten the session, sometimes dramatically, when that risk score jumps. You might get logged out after twenty minutes when you'd normally stay in for a week.
Put those together and you can see why session expiry feels arbitrary. It isn't. It's the output of a live risk calculation with several inputs you can't directly observe.
What People Consistently Misread About This
The most common misread is that frequent logouts mean an app is poorly built. Sometimes that's true. Usually, though, a short session on a financial or health app is a sign the security team is doing its job. Frustrating and correct are not mutually exclusive.
The second misread is that staying logged in is always more convenient and therefore always desirable. It's convenient right up until your unlocked phone sits on a café table while you go order coffee. A session that expires after fifteen minutes of idle time is annoying in the moment and quietly protective the rest of the time.
The third is subtler. People disable biometric login because they find it fussy, then wonder why the app keeps demanding their password. Biometrics often function as a local re-authentication layer that satisfies a step-up challenge without forcing a full network round-trip. Turn it off and the app falls back to password prompts at every sensitivity threshold it crosses. You traded a fingerprint scan for something slower and worse.
Reading Your Own Session Health
Most apps won't show you a session expiry timer, but you can infer a lot. If an app logs you out after every high-stakes action, it's using action-triggered expiry. If it logs you out after a fixed period regardless of what you did, it's running an absolute lifetime cap. If it keeps you logged in on your main phone but boots you quickly on a borrowed one, it's doing device-trust scoring.
Check your account's active sessions page if the app offers one. Google, Apple, and most major platforms list every device with an active session and roughly when it was last used. And if you see sessions from devices you don't recognise, that isn't a timeout problem. That's a different problem entirely, and you should close those sessions right now.
Session expiry isn't the app being forgetful. It's the app making a real-time judgment about how much it should trust this particular you, on this particular device, after this particular action. The frustration is real. So, for what it's worth, is the logic behind it.