Session Endpoints
The session management endpoints allow users to view active sessions, revoke individual sessions, and terminate all sessions across devices. All endpoints require authentication. Served by SessionController at /api/v1/sessions.
Endpoints
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/v1/sessions | List active sessions |
| GET | /api/v1/sessions/all | List all sessions (including inactive) |
| GET | /api/v1/sessions/count | Get active session count |
| DELETE | /api/v1/sessions/:sessionId | Revoke a specific session |
| DELETE | /api/v1/sessions/others | Revoke all sessions except current |
| DELETE | /api/v1/sessions/all | Revoke all sessions (forces re-login) |
GET /api/v1/sessions
Returns all active sessions for the authenticated user. The current session is marked with isCurrent: true based on the bearer token.
[
{
"id": 1,
"deviceName": "Chrome on macOS",
"ipAddress": "192.168.1.100",
"userAgent": "Mozilla/5.0...",
"createdAt": "2026-02-10T08:00:00Z",
"lastAccessedAt": "2026-02-12T14:30:00Z",
"isCurrent": true,
"expiresAt": "2026-02-12T16:00:00Z"
}
]DELETE /api/v1/sessions/:sessionId
Revokes a specific session by ID. The associated refresh token is invalidated.
| Status | Description |
|---|---|
| 204 | Session revoked |
| 404 | Session not found |
DELETE /api/v1/sessions/others
Revokes all sessions except the one making the request. Returns a count of revoked sessions.
{
"revoked": 3
}DELETE /api/v1/sessions/all
Revokes all sessions, including the current one. The user must re-authenticate after this call.
{
"revoked": 4
}Session Lifecycle
Sessions are created during login and tied to a specific device fingerprint and IP address. Each session corresponds to a refresh token. When a session is revoked, the associated refresh token is invalidated and cannot be used for token refresh.