Manage User Sessions with Auth0 Management API
Auth0 uses sessions to maintain the authentication state of a user across requests.
Management API endpoints
The Management API provides out-of-band access to the internals of user sessions in the Auth0 Session Layer, and deletion methods to force session termination.
Session resource
You can view or delete a specific session with the following endpoints:
Name | URL | Required scope(s) |
---|---|---|
Introspect a specific session by ID | GET /api/v2/sessions/{sessionId} |
read:sessions |
Delete a specific session by ID | DELETE /api/v2/sessions/{sessionId} |
delete:sessions |
User resource
You can list or delete all sessions for a given user with the following endpoints:
Name | URL | Required scope(s) |
---|---|---|
List sessions details of a user | GET /api/v2/users/{userId}/sessions |
read:sessions |
Delete all user sessions | DELETE /api/v2/users/{userId}/sessions |
delete:sessions |
Session properties
The session endpoints return relevant information about the session and its history.
Field | Description |
---|---|
Session ID | The session ID is a persistent identifier of the session in the Auth0 tenant. Note that the session ID corresponds to the sid claim already in ID Tokens and Logout Tokens and can be used to cross-reference these entities. |
Relevant Time | Session creation, authentication time, and expiry information. |
Device Information | The device property traces details related to the user agent (for example, browser) used in the interactions with this Auth0 session. |
Authentication Information | Contains summary information about the methods used to authenticate in this session. |
For detailed information about these fields, refer to the Management API documentation.
OIDC Back-Channel Logout Initiators
Session deletion events are connected to OIDC Back-Channel Logout through the session-deleted
initiator. To learn more, read OIDC Back-Channel Logout Initiators.
Sessions and refresh tokens
Sessions and refresh tokens collaborate to reduce the friction of user authentication while optimizing security. To learn more, read Best Practices for Application Session Management on Auth0 Blog.
Refresh tokens can remain active after a session has expired or been deleted, or after the user logs out. You can use the Management API to manage refresh tokens independently or in collaboration with sessions.
Limitations
Delete session operations run asynchronously, and are eventually consistent.