Session management
Sessions can be managed by:
- The user who owns the session through self-service
- System administators using administrative endpoints
Self-service session management
Using self-service session management, users can manage their own sessions.
note
When performing these operations, remember to include the Ory Kratos Session Cookie in the requests. When calling the endpoints from a proxy or middleware, make sure to forward the cookies sent to the proxy/middleware. When calling these endpoints as AJAX calls, make sure to include credentials and configure CORS properly.
Listing sessions
Users can list their sessions by sending a GET
request to the /sessions
endpoint or by using the listSessions
SDK command:
GET https://{your-project-slug-here}.projects.oryapis.com/sessions
Cookies: ory_kratos_session=...
# OR
X-Session-Token: ...
This call returns a list af all of the user's active sessions that haven't expired, except the current session.
tip
You can use this call to show a UI with all active sessions to the user.
Revoking specific sessions
To revoke a specific session, the user must send a DELETE
request to the
/sessions/{id}
endpoint or use the revokeSessionById
SDK command:
DELETE https://{your-project-slug-here}.projects.oryapis.com/sessions/{id}
Cookies: ory_kratos_session=...
# OR
X-Session-Token: ...
Sessions revoked by users are not deleted from the system. Instead, they become inactive. Only administrators can delete sessions using the administrative endpoints.
note
This endpoint revokes only sessions other than the current session. To revoke the current session, use the self-service logout.
Revoking all sessions
To revoke all sessions, the user must send a DELETE
request to the
/sessions
endpoint or use the revokeSessions
SDK command:
DELETE https://{your-project-slug-here}.projects.oryapis.com/sessions
Cookies: ory_kratos_session=...
# OR
X-Session-Token: ...
Administrative session management
System administrators have access to all sessions in the system.
Listing Sessions
To get all sessions of a specific identity, administrators must send a GET
request to the administrative
/admin/identities/{id}/sessions
endpoint.
GET https://{your-project-slug-here}.projects.oryapis.com/admin/identities/{id}/sessions
Authorization: Bearer {your-personal-access-token}
Revoke sessions as an administrator
To revoke all sessions of a specific identity, administrators must send a DELETE
request to the administrative
/admin/identities/{id}/sessions
endpoint.
DELETE https://{your-project-slug-here}.projects.oryapis.com/admin/identities/{id}/sessions
Authorization: Bearer {your-personal-access-token}
note
This operation forcefully logs the user out of all their sessions and deletes all session data.