You can set the maximum session lifetime (across all tenants) on the core. And then when you call createNewSession, then you can add to the accesstoken payload the specific timeout for that tenant.
You would also need to override the refresh function in the session recipe to check the session timeout, and modify the access token payload of the new session to modify the session timeout for the new access token.
Then, you can make your own middleware which will call getSession to verify the session, and then further check if the session is timedout based on the custom access token payload value. In case it is, you can send back a 401 to the frontend.