POST /auth/credentials/{id}/verify creates a new session — an authenticated signing context with a 15-minute lifetime by default. Sessions accumulate: a customer signed in on a laptop and a phone has two active sessions, each with its own session signing key held on that device. Use the session endpoints to show the customer their active sign-ins and to sign out of a specific device.
List active sessions
encryptedSessionSigningKey is never returned here — it is delivered exactly once on the verify response and never again.
Revoke a session
Session revocation uses the same signed-retry pattern as credential management. Unlike credential revocation, a session can revoke itself — this is how self-logout works: sign with the session key you are about to invalidate.1
First call — receive the challenge
2
Client signs the payload
Sign
payloadToSign with any active session signing key on the same account — either the session being revoked (self-logout) or another session (admin-style sign-out of a different device).3
Signed retry — session is revoked
204 No Content.