Skip to content

How admin invitations and sessions work

MapleGather uses a magic-link invitation model so new admins never receive a password in email — and session controls give your organization the right balance between convenience and security.

When you invite someone as an admin, MapleGather sends them a one-time magic link by email. The invitee clicks the link, sets their own password, and their account becomes active. Sessions stay live based on your organization’s configured session lifetime, and sensitive actions prompt a quick re-authentication check before they proceed.

When you send an invitation, MapleGather generates a tokenized magic link and emails it to the invitee. The token is valid for 30 days and is single-use — it works on any device and browser, so the invitee isn’t locked to the machine where they opened the email.

The invitee clicks the link, creates a password that meets your organization’s password policy, and their account is activated. No plaintext credentials ever appear in an invitation email.

Invitation states move in one direction:

PendingAccepted (when the invitee completes setup)

A pending invitation can also become Expired (after 30 days with no action) or Revoked (if you cancel it before the invitee accepts).

If an invitation expires or the invitee loses the link, you can resend it from Admin & SecurityAdminsPending invitations → row Resend invite. To prevent token spam, resend becomes available 7 days after the last send.

MapleGather supports two session modes:

  • Remember me (default 14 days) — suitable for personal devices where the admin is the only user.
  • Workstation session (default 8 hours) — suitable for shared or public devices. The session ends automatically after 8 hours.

Both lifetimes are configurable under your organization’s password policy. See Configure password policy and session settings for the full options.

Certain high-impact actions require the signed-in admin to confirm their password before proceeding, regardless of how long the session has been active. If the session has been idle longer than the configured re-auth threshold (default 5 minutes), a dialog appears asking for the admin’s current password. The action only proceeds after the password is confirmed.

Actions that trigger re-authentication include:

  • Changing a password
  • Adding or replacing a payment method
  • Granting admin access to another member

Token-based invitations mean the inviting admin never has to create or share a temporary password. This prevents credential sharing and puts each admin in control of their own login from day one. Re-authentication checkpoints add a targeted layer of security for the actions with the broadest organizational impact without requiring a full sign-out and sign-in.

  • The magic link is single-use — once accepted, it cannot be used again.
  • Resend is available 7 days after the last send to prevent token spam.
  • Revoking a pending invitation invalidates the outstanding link immediately — the invitee sees the expired-invitation page if they click the old link afterward.
  • Multi-factor authentication enrollment is planned for a future release and will extend the re-authentication model.