Session management

Authenticated users can list and revoke active sessions when using the database strategy and an adapter that implements SessionLister (all bundled SQL/memory adapters do).

:::note JWT sessions Credentials-only JWT sessions live in encrypted cookies — there is no server-side row to list. Session management APIs apply to database sessions. :::

List sessions

curl https://app.example.com/auth/sessions \
  -H "Authorization: Bearer ACCESS_TOKEN"

Response:

[
  {
    "sessionToken": "opaque-token",
    "userId": "user-1",
    "expires": "2026-07-01T12:00:00Z"
  }
]

Revoke a session

curl -X DELETE "https://app.example.com/auth/sessions?token=SESSION_TOKEN" \
  -H "Authorization: Bearer ACCESS_TOKEN"

Revokes another device’s session (e.g. “Sign out everywhere except this device”).

Simple UI pattern

const sessions = await fetch("/auth/sessions", {
  headers: { Authorization: `Bearer ${accessToken}` },
}).then((r) => r.json());

for (const s of sessions) {
  if (s.sessionToken !== currentSessionToken) {
    await fetch(`/auth/sessions?token=${s.sessionToken}`, {
      method: "DELETE",
      headers: { Authorization: `Bearer ${accessToken}` },
    });
  }
}

Advanced

Requires valid session on the request (cookie or bearer).
SessionInfo type in adapter.go — extend adapters for IP/user-agent if you fork an adapter.
Pair with MFA trusted devices for layered account security.

List sessions​

Revoke a session​

Simple UI pattern​

Advanced​

List sessions

Revoke a session

Simple UI pattern

Advanced