Session Logo Session

Security & Authentication

How Session securely handles VRChat API integrations.

Security & Authentication

We believe that your VRChat account is your most valuable digital asset. Session ensures complete security.

Zero-Knowledge Architecture

Session is built using a Zero-Knowledge authentication passthrough.

  • Direct API Passthrough: When you log into Session using your VRChat credentials, your username, password, and 2FA codes are sent directly to the official VRChat API.
  • No Password Storage: Session never saves, logs, or stores your VRChat password.
  • Cookie Authentication: Upon successful login, the VRChat API returns a temporary encrypted authentication cookie. Session uses this cookie to verify your avatar and status.

[!IMPORTANT]
If you change your VRChat password or log out of all devices via the VRChat website, your Session authentication cookie is immediately invalidated.

The Escrow Bot System

Session uses a fleet of automated VRChat accounts known as Escrow Bots to manage the physical layer of matchmaking.

How Escrow Bots Protect You:

  1. Private Instances: All matches occur in isolated Invite+ instances created by the Escrow Bot.
  2. Targeted Invites: The bot only sends an in-game invite to the two matched users.
  3. Ghost Operation: The bot never enters the instance itself; it simply facilitates the doorway and then leaves you alone.
  4. Anonymity: Because the instance is owned by a bot, your VRChat friends list cannot see who you are accompanied by, preventing stream-sniping or harassment.