Session Management
Gate Identity gives you full control over the active sessions of your end-users. You can list all sessions for a given identity, revoke them all at once (force logout everywhere), or revoke a single session by ID.
Endpoints
| Method | Path | Description |
|---|---|---|
GET | /v1/gate/identities/{id}/sessions | List all active sessions for an identity |
DELETE | /v1/gate/identities/{id}/sessions | Revoke all sessions for an identity |
DELETE | /v1/gate/sessions/{session_id} | Revoke a single session |
All endpoints require a tenant API key with the gate scope. Tenant isolation is enforced — you can only manage sessions of identities that belong to your tenant.
List Sessions
GET /v1/gate/identities/{id}/sessions
Returns all active sessions for the given identity. The response is the raw Kratos session array.
curl https://api.vernesoft.com/v1/gate/identities/f47ac10b-.../sessions \
-H 'Authorization: Bearer vrn_gate_live_sk_9f8a7...'
[
{
"id": "8e4f0b2a-...",
"active": true,
"authenticated_at": "2026-04-12T09:15:00Z",
"expires_at": "2026-05-12T09:15:00Z",
"issued_at": "2026-04-12T09:15:00Z",
"authentication_methods": [
{ "method": "password", "completed_at": "2026-04-12T09:15:00Z" }
],
"devices": [
{
"id": "d1e2f3a4-...",
"ip_address": "203.0.113.42",
"user_agent": "Mozilla/5.0 (Macintosh; ...)",
"location": "Paris, FR"
}
]
}
]
Key fields per session:
| Field | Description |
|---|---|
id | Session ID — use this to revoke a specific session |
active | Whether the session is currently valid |
authenticated_at | When the session was created |
expires_at | When the session will expire automatically |
authentication_methods | Methods used (password, code, totp, etc.) |
devices | IP address and user agent of the device |
Revoke All Sessions
DELETE /v1/gate/identities/{id}/sessions
Immediately invalidates all active sessions for the identity. The user will be logged out on all devices on their next request.
Returns 204 No Content.
curl -X DELETE https://api.vernesoft.com/v1/gate/identities/f47ac10b-.../sessions \
-H 'Authorization: Bearer vrn_gate_live_sk_9f8a7...'
Use cases:
- User reports their account was compromised
- User is deactivated and you want to immediately terminate access
- "Log out everywhere" button in your account settings
Revoke a Single Session
DELETE /v1/gate/sessions/{session_id}
Revokes one specific session by its ID. Gate verifies that the session belongs to an identity owned by your tenant before proceeding.
Returns 204 No Content.
curl -X DELETE https://api.vernesoft.com/v1/gate/sessions/8e4f0b2a-... \
-H 'Authorization: Bearer vrn_gate_live_sk_9f8a7...'
Use case: The user sees an unfamiliar device in their session list and clicks "Log out this device".
Typical Integration Pattern
// 1. Fetch the user's active sessions
const res = await fetch(`/v1/gate/identities/${userId}/sessions`, {
headers: { 'Authorization': `Bearer ${apiKey}` },
})
const sessions = await res.json()
// 2. Display to user — let them revoke suspicious ones
for (const session of sessions) {
const { id, devices, authenticated_at } = session
// render session row with a "Revoke" button
}
// 3. Revoke on user action
async function revokeSession(sessionId) {
await fetch(`/v1/gate/sessions/${sessionId}`, {
method: 'DELETE',
headers: { 'Authorization': `Bearer ${apiKey}` },
})
}
// 4. Or revoke all at once (e.g., on deactivation)
async function revokeAllSessions(userId) {
await fetch(`/v1/gate/identities/${userId}/sessions`, {
method: 'DELETE',
headers: { 'Authorization': `Bearer ${apiKey}` },
})
}
Notes
- Sessions expire automatically based on the Kratos session lifetime configured for your tenant.
- Revoking a session does not delete the identity — the user can log in again unless the identity is also deactivated (see Activate / Deactivate).
- The
devicesarray may be empty if Kratos could not detect device information for the session.