Authentication
Auth states
| State | Dot | Meaning |
|---|---|---|
| Authenticated | ● (solid) | Active login — you explicitly authenticated through this profile |
| Shared | ⊙ (shared) | Authenticated via org token, not explicitly logged in |
| Expiring | ◐ | Session ending soon (within configured warning window) |
| Expired | ○ | Re-login required |
Login
Click Login on any profile. Mimic:
- Checks if the SSO token is already valid (shared across org profiles)
- If expired, opens browser for SSO sign-in
- Marks the profile as the active login for that SSO session
- Optionally sets it as the default profile (if enabled in settings)
Force re-login
Expand an active profile and click Re-login, or use the context menu. This clears the SSO cache first, so the browser re-authenticates even if the portal session is still valid.
Logout
Expand an active profile and click Log out, or use the context menu. This clears the active marker; the shared token remains usable until it expires.
Silent refresh
The AWS CLI silently refreshes the SSO token in the background when you run CLI commands, as long as the portal session is still valid (typically 8h). Mimic detects these refreshes via polling and updates the timer automatically.
Timer widget
Active profiles show a countdown to token expiry. Hover for the exact expiry time.
Session expiry notifications
When a session expires and silent refresh fails, Mimic shows a desktop notification. If auto-re-login is enabled, it automatically opens the browser flow.
Credential types
| Type | Source |
|---|---|
| SSO | Standard AWS Identity Center profile |
| AssumeRole | source_profile chain to an SSO profile |
Granted/<provider> | Profiles generated by Granted CLI |
AssumeRole chain resolution
Mimic follows source_profile chains to find the SSO root. Logging in through an AssumeRole profile authenticates the entire chain. Expiry and silent refresh propagate through the chain automatically.
Supported SSO session configurations
- Profiles with
sso_sessionreferencing a[sso-session]block - Profiles with inline
sso_start_url(legacy) - Profiles chaining via
source_profileto any of the above