Manage User Sessions with Auth0 Management API

Auth0 uses sessions to maintain the authentication state of a user across requests.

Management API endpoints

The Management API provides out-of-band access to the internals of user sessions in the Auth0 Session Layer, and deletion methods to force session termination.

Session resource

You can view or delete a specific session with the following endpoints:

Name URL Required scope(s)
Introspect a specific session by ID GET /api/v2/sessions/{sessionId} read:sessions
Delete a specific session by ID DELETE /api/v2/sessions/{sessionId} delete:sessions

User resource

You can list or delete all sessions for a given user with the following endpoints:

Name URL Required scope(s)
List sessions details of a user GET /api/v2/users/{userId}/sessions read:sessions
Delete all user sessions DELETE /api/v2/users/{userId}/sessions delete:sessions

Session properties

The session endpoints return relevant information about the session and its history.

Field Description
Session ID The session ID is a persistent identifier of the session in the Auth0 tenant.

Note that the session ID corresponds to the sid claim already in ID Tokens and Logout Tokens and can be used to cross-reference these entities.
Relevant Time Session creation, authentication time, and expiry information.
Device Information The device property traces details related to the user agent (for example, browser) used in the interactions with this Auth0 session.
Authentication Information Contains summary information about the methods used to authenticate in this session.

For detailed information about these fields, refer to the Management API documentation.

OIDC Back-Channel Logout Initiators

Session deletion events are connected to OIDC Back-Channel Logout through the session-deleted initiator. To learn more, read OIDC Back-Channel Logout Initiators.

Sessions and refresh tokens

Sessions and refresh tokens collaborate to reduce the friction of user authentication while optimizing security. To learn more, read Best Practices for Application Session Management on Auth0 Blog.

Refresh tokens can remain active after a session has expired or been deleted, or after the user logs out. You can use the Management API to manage refresh tokens independently or in collaboration with sessions.

Limitations

Delete session operations run asynchronously, and are eventually consistent.

Learn more