Sessions
Session endpoints let users view and manage their active sessions. Sessions are created when a user logs in and expire after 1 hour. Sessions are scoped to the application where the user authenticated — a session on one app's subdomain has no effect on another app's subdomain.
GET/api/sessionsBearer Token
Returns all active sessions for the current user. Each session includes a is_current flag.
Response
{
"sessions": [
{
"id": "session-uuid",
"idp_name": "github",
"ip_address": "203.0.113.1",
"user_agent": "Mozilla/5.0...",
"created_at": "2026-02-01T10:00:00Z",
"expires_at": "2026-02-01T11:00:00Z",
"last_active_at": "2026-02-01T10:30:00Z",
"is_current": true
}
]
}DELETE/api/sessions/:idBearer Token
Revokes a specific session. Cannot revoke the current session (use /signout instead).
| Parameter | Type | Description |
|---|---|---|
| id* path | string | Session ID to revoke |
Response
{
"message": "Session revoked"
}DELETE/api/sessionsBearer Token
Revokes all sessions except the current one.
Response
{
"message": "All other sessions revoked",
"revoked_count": 3
}POST/signoutSession
Signs out the current user by revoking the session and clearing the session cookie.
Response
HTTP 302 → / (with session cookie cleared)