MATIH Platform is in active MVP development. Documentation reflects current implementation status.
6. Identity & Access Management
Session Management
Session Lifecycle

Session Lifecycle

Production - SessionController at /api/v1/sessions

Sessions are created during login and track user activity across the platform. Each session is associated with a JWT token and records the device, IP address, and activity timestamps.

6.7.1List Active Sessions

curl -X GET http://localhost:8081/api/v1/sessions \
  -H "Authorization: Bearer <access-token>"

Response (200 OK)

[
  {
    "id": 1,
    "ipAddress": "203.0.113.50",
    "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)...",
    "createdAt": "2026-02-12T08:00:00Z",
    "lastActivityAt": "2026-02-12T10:30:00Z",
    "current": true,
    "deviceName": "MacBook Pro"
  },
  {
    "id": 2,
    "ipAddress": "198.51.100.23",
    "userAgent": "Mozilla/5.0 (iPhone; CPU iPhone OS 17_0...)...",
    "createdAt": "2026-02-11T14:00:00Z",
    "lastActivityAt": "2026-02-11T18:00:00Z",
    "current": false,
    "deviceName": "iPhone 15 Pro"
  }
]

The current flag identifies the session making the request (matched by the JWT token ID).

6.7.2Session Count

curl -X GET http://localhost:8081/api/v1/sessions/count \
  -H "Authorization: Bearer <access-token>"
{ "count": 3 }

6.7.3Revoke Sessions

Revoke Specific Session

curl -X DELETE http://localhost:8081/api/v1/sessions/2 \
  -H "Authorization: Bearer <access-token>"

Revoke Other Sessions

Keeps the current session active and revokes all others:

curl -X DELETE http://localhost:8081/api/v1/sessions/others \
  -H "Authorization: Bearer <access-token>"

Response: { "revoked": 2 }

Revoke All Sessions

Revokes all sessions including the current one (requires re-login):

curl -X DELETE http://localhost:8081/api/v1/sessions/all \
  -H "Authorization: Bearer <access-token>"

Response: { "revoked": 3 }

Implementation Details

The SessionController uses the JWT token ID (jti claim) to identify the current session:

private String extractToken(HttpServletRequest request) {
    String bearerToken = request.getHeader("Authorization");
    if (bearerToken != null && bearerToken.startsWith("Bearer ")) {
        String token = bearerToken.substring(7);
        return jwtTokenProvider.getTokenIdFromToken(token);
    }
    return null;
}

Error Codes

CodeHTTP StatusDescription
SESSION_NOT_FOUND404Session not found
UNAUTHORIZED401Not authenticated
OverviewDevice Management