Sessions API
Query and manage active sessions. Sessions are stored in Redis with configurable TTL.
On this page
List Sessions
GET /api/sessions?realm={realm}&userId={userId}
Authorization: Bearer <token>
curl -H "Authorization: Bearer $TOKEN" \
"http://localhost:8080/api/sessions?realm=master&userId=usr_abc123"[
{
"sessionId": "sess-uuid-1",
"userId": "usr_abc123",
"realmId": "master",
"clientIds": ["opengate-console"],
"ipAddress": "192.168.1.10",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) ...",
"createdAt": "2025-06-01T10:00:00Z",
"expiresAt": "2025-06-01T18:00:00Z"
}
]Get Session
GET /api/sessions/{sessionId}
Authorization: Bearer <token>
Revoke Session
DELETE /api/sessions/{sessionId}
Authorization: Bearer <token>
Response: 204 No Content
The session is removed from Redis and the JWT is added to the token blacklist. The user is immediately logged out of that device — no need to wait for token expiry.
Immediate effect
Session revocation takes effect within milliseconds via the Redis blacklist — not just at token expiry.
Revoke All User Sessions
DELETE /api/sessions?realm={realm}&userId={userId}
Authorization: Bearer <token>
# Force logout all devices for a user
curl -X DELETE \
-H "Authorization: Bearer $TOKEN" \
"http://localhost:8080/api/sessions?realm=master&userId=usr_abc123"Response: 204 No Content
Use this for:
- Password reset (force all existing sessions to end)
- Suspicious activity detected
- User account suspension