After authenticating to quickfile and accessing the api sandbox page if you leave both the quickfile account and the api browser window open then the api window authentication does not time out. The quickfile account one does. I think the api window should utilise the same timeout as the main account window.
They do both actually share the same session, however API requests don’t directly use session cookies so the session is only used on the page load of the sandbox to prebind the request XML.
What happens is when you go into the sandbox it will use the application session to prebind your request XML (specifically the header). Now you could log out of the web app but you’re still left with a valid XML request header.
The API endpoint will not check for an application session as it doesn’t and can’t rely on that method of authentication, it will only use the XML header to authenticate the request.
As soon as you reload the page that XML header is lost and you will be prompted to log back in.