Skip to content

User Session API

The User Session API provides capabilities for managing user sessions. Like the endpoints in the end user API, the session endpoints are only accessible with valid API client credentials. These endpoints can be utilized by a web application to list active sessions for a specific user. For instance, the web application might want to display a list of active sessions to the user, including details such as session ID, authentication time, last issued access time, user agent, and location information.

In addition to listing sessions, this API also allows for terminating user sessions. These termination endpoints provide a layer of security and control over user sessions. It ensures old and inactive sessions can be properly ended as needed, maintaining the integrity of the user's active sessions.

List User Sessions

Endpoint: GET /oauth/api/v1/users/{userId}/sessions

Parameter Description
userId User identifier

This endpoint requires basic authentication using the API client credentials. If the user does not exist, or if the user has no active sessions, a 404 Not Found is returned. If there are active sessions, a response is returned with an array of session details.

Attribute Description
session_id Identifier of the session.
auth_time A timestamp indicating when the user was authenticated in this session.
last_iat A timestamp indicating when the last Access Token was issued for the user in this session.
user_agent A string indicating the user agent of the device used in the session.
location An object containing location information such as IP address.
clients An array of objects representing the clients associated with the session, including client ID and name.

Example response:

HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache

  "result": [
      "session_id": "8f4ecb2b-7bc1-47bc-95e1-0b02ae4b6e32",
      "auth_time": "2023-11-13T09:31:49.231460Z",
      "last_iat": "2023-11-13T09:31:49.340Z",
      "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/119.0",
      "location": {
        "ip_address": ""
      "clients": [
          "id": "my-client",
          "name": "my-client"

Example error response:

  "error": "No sessions found"

End User Sessions

End All Sessions

Endpoint: DELETE /oauth/api/v1/users/{userId}/sessions

Parameter Description
userId User's unique identifier

This secure endpoint requires authentication using API credentials. It has been designed to delete every active session of a specified user. Default behavior is to remove the associated tokens as well.

Upon successful deletion, a 204 No Content status is sent back. If the user doesn't exist or has no active sessions, it will also result in 204 No Content being returned.

Query Parameters:

Parameter Description Default
removeTokens If true, additionally scraps all of the associated tokens. true

End a Specific Session

Endpoint: DELETE /oauth/api/v1/users/{userId}/sessions/{sessionId}

Parameter Description
userId User's unique identifier
sessionId Session's unique identifier

This endpoint, protected by authentication via client credentials, removes an individual session of the user in question. By default, the associated tokens are removed too.

Upon successful deletion, you'll receive a 204 No Content status. If the user or the session is nonexistent, a status 204 No Content is sent back as well.

Query Parameters:

Parameter Description Default
removeTokens If true, cleans out all of the tokens associated with the session. true

Both of these endpoints are invaluable security tools that help you administer user sessions and ensure that older, unused sessions are appropriately terminated thereby enhancing your control over the process of user authentication.