Get My Active Sessions

GET 
https://accounts.<domain>/auth/sessions

This endpoints returns all other active sessions that belong to the logged-in user. The current session can be retrieved by calling the /sessions/whoami endpoint.

Request

Query Parameters

per_page int64
Possible values: >= 1 and <= 1000
Deprecated Items per Page
DEPRECATED: Please use page_token instead. This parameter will be removed in the future.
This is the number of items per page.
Default value: 250
page int64

Deprecated Pagination Page

DEPRECATED: Please use page_token instead. This parameter will be removed in the future.

This value is currently an integer, but it is not sequential. The value is not the page number, but a reference. The next page can be any number and some numbers might return an empty list.

For example, page 2 might not follow after page 1. And even if page 3 and 5 exist, but page 4 might not exist. The first page can be retrieved by omitting this parameter. Following page pointers will be returned in the Link header.

page_size int64
Possible values: >= 1 and <= 500
Page Size
This is the number of items per page to return. For details on pagination please head over to the pagination documentation.
Default value: 250
page_token string
Possible values: >= 1
Next Page Token
The next page token. For details on pagination please head over to the pagination documentation.
Default value: 1

Header Parameters

X-Session-Token string

Set the Session Token when calling from non-browser clients. A session token has a format of MP2YWEMeM8MxjkGKpH4dqOQ4Q4DlSPaj.

Cookie string

Set the Cookie Header. This is especially useful when calling this endpoint from a server-side application. In that scenario you must include the HTTP Cookie Header which originally was included in the request to your server.

Responses

200

List My Session Response

application/json

Schema

Schema

• Array [
activeboolean

Active state. If false the session is no longer active.

authenticated_atstring<date-time>

The Session Authentication Timestamp

When this session was authenticated at. If multi-factor authentication was used this is the time when the last factor was authenticated (e.g. the TOTP code challenge was completed).

authentication_methods object[]
A list of authenticators which were used to authenticate the session.
Array [
aalAuthenticator Assurance Level (AAL) (string)
The authenticator assurance level can be one of "aal1", "aal2", or "aal3". A higher number means that it is harder for an attacker to compromise the account.
Generally, "aal1" implies that one authentication factor was used while AAL2 implies that two factors (e.g. password + TOTP) have been used.
Possible values: [aal0, aal1, aal2, aal3]
completed_atstring<date-time>
When the authentication challenge was completed.
methodThe method used (string)
Possible values: [link_recovery, code_recovery, password, code, totp, oidc, webauthn, lookup_secret, v0.6_legacy_session]
organizationstring
The Organization id used for authentication
providerstring
OIDC or SAML provider id used for authentication
]
authenticator_assurance_levelAuthenticator Assurance Level (AAL) (string)

The authenticator assurance level can be one of "aal1", "aal2", or "aal3". A higher number means that it is harder for an attacker to compromise the account.

Generally, "aal1" implies that one authentication factor was used while AAL2 implies that two factors (e.g. password + TOTP) have been used.

Possible values: [aal0, aal1, aal2, aal3]

devices object[]
Devices has history of all endpoints where the session was used
Array [
idstring<uuid>required
Device record ID
ip_addressstring
IPAddress of the client
locationstring
Geo Location corresponding to the IP Address
user_agentstring
UserAgent of the client
]
expires_atstring<date-time>

The Session Expiry

When this session expires at.

idstring<uuid>required

Session ID

identity object
An identity represents a (human) user.
created_atstring<date-time>
CreatedAt is a helper struct field for gobuffalo.pop.
credentials object
Credentials represents all credentials that can be used for authenticating this identity.
property name* identityCredentials
Credentials represents a specific credential type
configobject
created_atstring<date-time>
CreatedAt is a helper struct field for gobuffalo.pop.
identifiersstring[]
Identifiers represents a list of unique identifiers this credential type matches.
typeCredentialsType represents several different credential types, like password credentials, passwordless credentials, (string)
and so on.
Possible values: [password, totp, oidc, webauthn, lookup_secret, code]
updated_atstring<date-time>
UpdatedAt is a helper struct field for gobuffalo.pop.
versioninteger<int64>
Version refers to the version of the credential. Useful when changing the config schema.
idstring<uuid>required
ID is the identity's unique identifier.
The Identity ID can not be changed and can not be chosen. This ensures future compatibility and optimization for distributed stores such as CockroachDB.
metadata_adminnullJsonRawMessagenullable
NullJSONRawMessage represents a json.RawMessage that works well with JSON, SQL, and Swagger and is NULLable-
metadata_publicnullJsonRawMessagenullable
NullJSONRawMessage represents a json.RawMessage that works well with JSON, SQL, and Swagger and is NULLable-
organization_idstring<uuid4>nullable
recovery_addresses object[]
RecoveryAddresses contains all the addresses that can be used to recover an identity.
Array [
created_atstring<date-time>
CreatedAt is a helper struct field for gobuffalo.pop.
idstring<uuid>required
updated_atstring<date-time>
UpdatedAt is a helper struct field for gobuffalo.pop.
valuestringrequired
viaRecoveryAddressType must not exceed 16 characters as that is the limitation in the SQL Schema. (string)required
]
schema_idstringrequired
SchemaID is the ID of the JSON Schema to be used for validating the identity's traits.
schema_urlstringrequired
SchemaURL is the URL of the endpoint where the identity's traits schema can be fetched from.
format: url
stateAn Identity's State (string)
The state can either be active or inactive.
Possible values: [active, inactive]
state_changed_atstring<date-time>
traitsidentityTraitsrequired
Traits represent an identity's traits. The identity is able to create, modify, and delete traits in a self-service manner. The input will always be validated against the JSON Schema defined in schema_url.
updated_atstring<date-time>
UpdatedAt is a helper struct field for gobuffalo.pop.
verifiable_addresses object[]
VerifiableAddresses contains all the addresses that can be verified by the user.
Array [
created_atstring<date-time>
When this entry was created
Example: 2014-01-01T23:28:56.782Z
idstring<uuid>
The ID
statusidentityVerifiableAddressStatus (string)required
VerifiableAddressStatus must not exceed 16 characters as that is the limitation in the SQL Schema
updated_atstring<date-time>
When this entry was last updated
Example: 2014-01-01T23:28:56.782Z
valuestringrequired
The address value
example foo@user.com
verifiedbooleanrequired
Indicates if the address has already been verified
Example: true
verified_atstring<date-time>
viastringrequired
The delivery method
Possible values: [email, sms]
Example: email
]
issued_atstring<date-time>

The Session Issuance Timestamp

When this session was issued at. Usually equal or close to authenticated_at.

tokenizedstring

Tokenized is the tokenized (e.g. JWT) version of the session.

It is only set when the tokenize query parameter was set to a valid tokenize template during calls to /session/whoami.

• ]

Example (auto)

[
  {
    "active": true,
    "authenticated_at": "2024-07-29T15:51:28.071Z",
    "authentication_methods": [
      {
        "aal": "aal0",
        "completed_at": "2024-07-29T15:51:28.071Z",
        "method": "link_recovery",
        "organization": "string",
        "provider": "string"
      }
    ],
    "authenticator_assurance_level": "aal0",
    "devices": [
      {
        "id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
        "ip_address": "string",
        "location": "string",
        "user_agent": "string"
      }
    ],
    "expires_at": "2024-07-29T15:51:28.071Z",
    "id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
    "identity": {
      "created_at": "2024-07-29T15:51:28.071Z",
      "credentials": {},
      "id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
      "organization_id": "string",
      "recovery_addresses": [
        {
          "created_at": "2024-07-29T15:51:28.071Z",
          "id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
          "updated_at": "2024-07-29T15:51:28.071Z",
          "value": "string",
          "via": "string"
        }
      ],
      "schema_id": "string",
      "schema_url": "string",
      "state": "active",
      "state_changed_at": "2024-07-29T15:51:28.071Z",
      "updated_at": "2024-07-29T15:51:28.071Z",
      "verifiable_addresses": [
        {
          "created_at": "2014-01-01T23:28:56.782Z",
          "id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
          "status": "string",
          "updated_at": "2014-01-01T23:28:56.782Z",
          "value": "string",
          "verified": true,
          "verified_at": "2024-07-29T15:51:28.071Z",
          "via": "email"
        }
      ]
    },
    "issued_at": "2024-07-29T15:51:28.071Z",
    "tokenized": "string"
  }
]

400

errorGeneric

application/json

Schema

Schema

error objectrequired
codeinteger<int64>
The status code
Example: 404
debugstring
Debug information
This field is often not exposed to protect against leaking sensitive information.
Example: SQL field "foo" is not a bool.
detailsobject
Further error details
idstring
The error ID
Useful when trying to identify various errors in application logic.
messagestringrequired
Error message
The error's message.
Example: The resource could not be found
reasonstring
A human-readable reason for the error
Example: User with ID 1234 does not exist.
requeststring
The request ID
The request ID is often exposed internally in order to trace errors across service architectures. This is often a UUID.
Example: d7ef54b1-ec15-46e6-bccb-524b82c035e6
statusstring
The status description
Example: Not Found

Example (auto)

{
  "error": {
    "code": 404,
    "debug": "SQL field \"foo\" is not a bool.",
    "details": {},
    "id": "string",
    "message": "The resource could not be found",
    "reason": "User with ID 1234 does not exist.",
    "request": "d7ef54b1-ec15-46e6-bccb-524b82c035e6",
    "status": "Not Found"
  }
}

401

errorGeneric

application/json

Schema

Schema

error objectrequired
codeinteger<int64>
The status code
Example: 404
debugstring
Debug information
This field is often not exposed to protect against leaking sensitive information.
Example: SQL field "foo" is not a bool.
detailsobject
Further error details
idstring
The error ID
Useful when trying to identify various errors in application logic.
messagestringrequired
Error message
The error's message.
Example: The resource could not be found
reasonstring
A human-readable reason for the error
Example: User with ID 1234 does not exist.
requeststring
The request ID
The request ID is often exposed internally in order to trace errors across service architectures. This is often a UUID.
Example: d7ef54b1-ec15-46e6-bccb-524b82c035e6
statusstring
The status description
Example: Not Found

Example (auto)

{
  "error": {
    "code": 404,
    "debug": "SQL field \"foo\" is not a bool.",
    "details": {},
    "id": "string",
    "message": "The resource could not be found",
    "reason": "User with ID 1234 does not exist.",
    "request": "d7ef54b1-ec15-46e6-bccb-524b82c035e6",
    "status": "Not Found"
  }
}

default

errorGeneric

application/json

Schema

Schema

error objectrequired
codeinteger<int64>
The status code
Example: 404
debugstring
Debug information
This field is often not exposed to protect against leaking sensitive information.
Example: SQL field "foo" is not a bool.
detailsobject
Further error details
idstring
The error ID
Useful when trying to identify various errors in application logic.
messagestringrequired
Error message
The error's message.
Example: The resource could not be found
reasonstring
A human-readable reason for the error
Example: User with ID 1234 does not exist.
requeststring
The request ID
The request ID is often exposed internally in order to trace errors across service architectures. This is often a UUID.
Example: d7ef54b1-ec15-46e6-bccb-524b82c035e6
statusstring
The status description
Example: Not Found

Example (auto)

{
  "error": {
    "code": 404,
    "debug": "SQL field \"foo\" is not a bool.",
    "details": {},
    "id": "string",
    "message": "The resource could not be found",
    "reason": "User with ID 1234 does not exist.",
    "request": "d7ef54b1-ec15-46e6-bccb-524b82c035e6",
    "status": "Not Found"
  }
}

• csharp
• curl
• dart
• go
• http
• java
• javascript
• kotlin
• c
• nodejs
• objective-c
• ocaml
• php
• powershell
• python
• r
• ruby
• rust
• shell
• swift

• HTTPCLIENT
• RESTSHARP

var client = new HttpClient();
var request = new HttpRequestMessage(HttpMethod.Get, "https://accounts.<domain>/auth/sessions");
request.Headers.Add("Accept", "application/json");
var response = await client.SendAsync(request);
response.EnsureSuccessStatusCode();
Console.WriteLine(await response.Content.ReadAsStringAsync());

Request Collapse all

Base URL

https://accounts.<domain>

Parameters

per_page — query

page — query

page_size — query

page_token — query

X-Session-Token — header

Cookie — header