Skip to main content

Session management

Sessions can be managed by:

  1. The user who owns the session through self-service
  2. System administators using administrative endpoints

Self-service session management

Using self-service session management, users can manage their own sessions.

note

When performing these operations, remember to include the Ory Kratos Session Cookie in the requests. When calling the endpoints from a proxy or middleware, make sure to forward the cookies sent to the proxy/middleware. When calling these endpoints as AJAX calls, make sure to include credentials and configure CORS properly.

Listing sessions

Users can list their sessions by sending a GET request to the /sessions endpoint or by using the listSessions SDK command:

GET https://{your-project-slug-here}.projects.oryapis.com/sessions
Cookies: ory_kratos_session=...
# OR
X-Session-Token: ...

This call returns a list af all of the user's active sessions that haven't expired, except the current session.

tip

You can use this call to show a UI with all active sessions to the user.

Revoking specific sessions

To revoke a specific session, the user must send a DELETE request to the /sessions/{id} endpoint or use the revokeSessionById SDK command:

DELETE https://{your-project-slug-here}.projects.oryapis.com/sessions/{id}
Cookies: ory_kratos_session=...
# OR
X-Session-Token: ...

Sessions revoked by users are not deleted from the system. Instead, they become inactive. Only administrators can delete sessions using the administrative endpoints.

note

This endpoint revokes only sessions other than the current session. To revoke the current session, use the self-service logout.

Revoking all sessions

To revoke all sessions, the user must send a DELETE request to the /sessions endpoint or use the revokeSessions SDK command:

DELETE https://{your-project-slug-here}.projects.oryapis.com/sessions
Cookies: ory_kratos_session=...
# OR
X-Session-Token: ...

Administrative session management

System administrators have access to all sessions in the system.

Listing Sessions

To get all sessions of a specific identity, administrators must send a GET request to the administrative /admin/identities/{id}/sessions endpoint.

GET https://{your-project-slug-here}.projects.oryapis.com/admin/identities/{id}/sessions
Authorization: Bearer {your-personal-access-token}

Revoke sessions as an administrator

To revoke all sessions of a specific identity, administrators must send a DELETE request to the administrative /admin/identities/{id}/sessions endpoint.

DELETE https://{your-project-slug-here}.projects.oryapis.com/admin/identities/{id}/sessions
Authorization: Bearer {your-personal-access-token}
note

This operation forcefully logs the user out of all their sessions and deletes all session data.