Skip to main content
Every call to POST /auth/credentials/{id}/verify creates a new session — an authenticated signing context with a 15-minute lifetime by default. Sessions accumulate: a customer signed in on a laptop and a phone has two active sessions, each with its own session signing key held on that device. Use the session endpoints to show the customer their active sign-ins and to sign out of a specific device.

List active sessions

Response (200):
The list endpoint returns all active sessions; expired sessions are not included. encryptedSessionSigningKey is never returned here — it is delivered exactly once on the verify response and never again.

Revoke a session

Session revocation uses the same signed-retry pattern as credential management. Unlike credential revocation, a session can revoke itself — this is how self-logout works: sign with the session key you are about to invalidate.
1

First call — receive the challenge

Response (202):
2

Client signs the payload

Sign payloadToSign with any active session signing key on the same account — either the session being revoked (self-logout) or another session (admin-style sign-out of a different device).
3

Signed retry — session is revoked

Response: 204 No Content.
Revoking a session only invalidates the session signing key, not the credential that issued it. The next call to POST /auth/credentials/{id}/verify on that credential still works and issues a brand new session.