Session Management

Gate Identity gives you full control over the active sessions of your end-users. You can list all sessions for a given identity, revoke them all at once (force logout everywhere), or revoke a single session by ID.


Endpoints

MethodPathDescription
GET/v1/gate/identities/{id}/sessionsList all active sessions for an identity
DELETE/v1/gate/identities/{id}/sessionsRevoke all sessions for an identity
DELETE/v1/gate/sessions/{session_id}Revoke a single session

All endpoints require a tenant API key with the gate scope. Tenant isolation is enforced — you can only manage sessions of identities that belong to your tenant.


List Sessions

GET /v1/gate/identities/{id}/sessions

Returns all active sessions for the given identity. The response is the raw Kratos session array.

curl https://api.vernesoft.com/v1/gate/identities/f47ac10b-.../sessions \
  -H 'Authorization: Bearer vrn_gate_live_sk_9f8a7...'
[
  {
    "id": "8e4f0b2a-...",
    "active": true,
    "authenticated_at": "2026-04-12T09:15:00Z",
    "expires_at": "2026-05-12T09:15:00Z",
    "issued_at": "2026-04-12T09:15:00Z",
    "authentication_methods": [
      { "method": "password", "completed_at": "2026-04-12T09:15:00Z" }
    ],
    "devices": [
      {
        "id": "d1e2f3a4-...",
        "ip_address": "203.0.113.42",
        "user_agent": "Mozilla/5.0 (Macintosh; ...)",
        "location": "Paris, FR"
      }
    ]
  }
]

Key fields per session:

FieldDescription
idSession ID — use this to revoke a specific session
activeWhether the session is currently valid
authenticated_atWhen the session was created
expires_atWhen the session will expire automatically
authentication_methodsMethods used (password, code, totp, etc.)
devicesIP address and user agent of the device

Revoke All Sessions

DELETE /v1/gate/identities/{id}/sessions

Immediately invalidates all active sessions for the identity. The user will be logged out on all devices on their next request.

Returns 204 No Content.

curl -X DELETE https://api.vernesoft.com/v1/gate/identities/f47ac10b-.../sessions \
  -H 'Authorization: Bearer vrn_gate_live_sk_9f8a7...'

Use cases:

  • User reports their account was compromised
  • User is deactivated and you want to immediately terminate access
  • "Log out everywhere" button in your account settings

Revoke a Single Session

DELETE /v1/gate/sessions/{session_id}

Revokes one specific session by its ID. Gate verifies that the session belongs to an identity owned by your tenant before proceeding.

Returns 204 No Content.

curl -X DELETE https://api.vernesoft.com/v1/gate/sessions/8e4f0b2a-... \
  -H 'Authorization: Bearer vrn_gate_live_sk_9f8a7...'

Use case: The user sees an unfamiliar device in their session list and clicks "Log out this device".


Typical Integration Pattern

// 1. Fetch the user's active sessions
const res = await fetch(`/v1/gate/identities/${userId}/sessions`, {
  headers: { 'Authorization': `Bearer ${apiKey}` },
})
const sessions = await res.json()

// 2. Display to user — let them revoke suspicious ones
for (const session of sessions) {
  const { id, devices, authenticated_at } = session
  // render session row with a "Revoke" button
}

// 3. Revoke on user action
async function revokeSession(sessionId) {
  await fetch(`/v1/gate/sessions/${sessionId}`, {
    method: 'DELETE',
    headers: { 'Authorization': `Bearer ${apiKey}` },
  })
}

// 4. Or revoke all at once (e.g., on deactivation)
async function revokeAllSessions(userId) {
  await fetch(`/v1/gate/identities/${userId}/sessions`, {
    method: 'DELETE',
    headers: { 'Authorization': `Bearer ${apiKey}` },
  })
}

Notes

  • Sessions expire automatically based on the Kratos session lifetime configured for your tenant.
  • Revoking a session does not delete the identity — the user can log in again unless the identity is also deactivated (see Activate / Deactivate).
  • The devices array may be empty if Kratos could not detect device information for the session.