How admin invitations and sessions work
MapleGather uses a magic-link invitation model so new admins never receive a password in email — and session controls give your organization the right balance between convenience and security.
The short version
Section titled “The short version”When you invite someone as an admin, MapleGather sends them a one-time magic link by email. The invitee clicks the link, sets their own password, and their account becomes active. Sessions stay live based on your organization’s configured session lifetime, and sensitive actions prompt a quick re-authentication check before they proceed.
How it works
Section titled “How it works”Invitation lifecycle
Section titled “Invitation lifecycle”When you send an invitation, MapleGather generates a tokenized magic link and emails it to the invitee. The token is valid for 30 days and is single-use — it works on any device and browser, so the invitee isn’t locked to the machine where they opened the email.
The invitee clicks the link, creates a password that meets your organization’s password policy, and their account is activated. No plaintext credentials ever appear in an invitation email.
Invitation states move in one direction:
Pending → Accepted (when the invitee completes setup)
A pending invitation can also become Expired (after 30 days with no action) or Revoked (if you cancel it before the invitee accepts).
Re-sending invitations
Section titled “Re-sending invitations”If an invitation expires or the invitee loses the link, you can resend it from Admin & Security → Admins → Pending invitations → row ⋮ → Resend invite. To prevent token spam, resend becomes available 7 days after the last send.
Session lifetime
Section titled “Session lifetime”MapleGather supports two session modes:
- Remember me (default 14 days) — suitable for personal devices where the admin is the only user.
- Workstation session (default 8 hours) — suitable for shared or public devices. The session ends automatically after 8 hours.
Both lifetimes are configurable under your organization’s password policy. See Configure password policy and session settings for the full options.
Re-authentication for sensitive actions
Section titled “Re-authentication for sensitive actions”Certain high-impact actions require the signed-in admin to confirm their password before proceeding, regardless of how long the session has been active. If the session has been idle longer than the configured re-auth threshold (default 5 minutes), a dialog appears asking for the admin’s current password. The action only proceeds after the password is confirmed.
Actions that trigger re-authentication include:
- Changing a password
- Adding or replacing a payment method
- Granting admin access to another member
Why it works this way
Section titled “Why it works this way”Token-based invitations mean the inviting admin never has to create or share a temporary password. This prevents credential sharing and puts each admin in control of their own login from day one. Re-authentication checkpoints add a targeted layer of security for the actions with the broadest organizational impact without requiring a full sign-out and sign-in.
Edge cases & boundaries
Section titled “Edge cases & boundaries”- The magic link is single-use — once accepted, it cannot be used again.
- Resend is available 7 days after the last send to prevent token spam.
- Revoking a pending invitation invalidates the outstanding link immediately — the invitee sees the expired-invitation page if they click the old link afterward.
- Multi-factor authentication enrollment is planned for a future release and will extend the re-authentication model.