# Session Authenticate (Cert)

{% hint style="warning" %}
**Backward compatibility breaking notice**: Starting in **March 2025**, the request's Content-type header must be empty, and its body must be null.
{% endhint %}

{% openapi src="<https://544392450-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F909t04Fk8FiEI7fBcmlw%2Fuploads%2Fgit-blob-fbac22e6de11bb95e3f2243769875c33684b49d8%2Fauthenticator-api-public.yaml?alt=media>" path="/v1/authenticate" method="post" expanded="true" fullWidth="true" %}
[authenticator-api-public.yaml](https://544392450-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F909t04Fk8FiEI7fBcmlw%2Fuploads%2Fgit-blob-fbac22e6de11bb95e3f2243769875c33684b49d8%2Fauthenticator-api-public.yaml?alt=media)
{% endopenapi %}

> #### ❗️ Session Token Management
>
> The token you receive is valid for the lifetime of a session that is defined by your pod's administration team. This ranges from 1 hour to 2 weeks.
>
> You should keep using the same token until you receive a HTTP 401, at which you should re-authenticate and get a new token for a new session.
>
> [Datafeeds](https://rest-api.symphony.com/main/datafeed) survive session expiration, you do not need to re-create your datafeed if your session expires.

To call the Session Authenticate endpoint, you must provide a certificate where the Common Name of the certificate matches the username of an active Service User account on your pod.

> #### 🚧 Important
>
> * Before calling any of the Pod or Agent API endpoints, the caller must be authenticated on both the pod and key manager by calling this endpoint, followed by the [Key Manager Authenticate](https://rest-api.symphony.com/main/bot-authentication/rsa-key-manager-authenticate) endpoint.
> * The certificate used for authentication (and therefore the Root certification) must have a strength of 4096 bits, or the cert will be rejected
> * Symphony prevents bots from calling this endpoint when the following conditions are true:
>   * An application and a bot have the same name.
>   * The application specifies a [valid certificate in its manifest file](https://docs.developers.symphony.com/building-extension-applications-on-symphony/app-configuration/application-manifest-bundle-file-reference).
>   * The application is enabled and not marked for deletion. For more information about enabling and deleting applications, see the *Symphony Administration Guide*.
> * The request's Content-type header must be empty, and its body must be null.

*Note that the Session Authenticate endpoint may return an authorizationToken (short lived access token built from a user session) in addition to the session token. Please note this has been introduced as beta and should not be used until further notice; please continue using the returned "token" instead.*