There is idle Authentication Timeout and Requestor Passivation timeout.
The Authentication timeout for a Mashup would be part of the AuthService you are using. On the custom tab there is a check box for "Use PegaRULES timeout". When checked the AccessGroup timeout value is then used. When a user is idle for the amount of time specified in the AccessGroup timeout field and an request is made the timeout activity is run first. (This doesn't run in the background)
Note: Authentication idle timeouts with a mashup get a bit tricky as we are embedded in a top level application via an Iframe. Our timeouts and the top level application timeouts might be different. Working in the top level application doesn't reset our idle timeout and working within the PRPC Iframe doesn't reset the top level application idle timeout.
I typically don't use PRPC Idle Authentication timeouts with a Mashup.
The passivation timeout settings don't really need to be changed as this is just memory cleanup that occurs by default with 1 hour for the requestor, 30 minutes for requestor thread pages, and 15 minute for requestor pages. The requestor will show up in the requestor list in admin pages for the full hour but memory is being freed.
This can be adjusted with the DSS: Pega-Engine / prconfig/timeout/browser/default (value is in seconds)
When you adjust this value then passivation for thread page and pages is then automatically adjusted as well. Thread pages half the requestor timeout and pages half the thread page timeout.
Again, you shouldn't have to change this but if you do don't set it to low.
This is completely separate from Authentication timeout. The requestor maybe passivated but it can still be restored from passivation state with out any authenication.