Skip to content
AuthFort

Sessions

Each refresh token represents a session. Sessions track when and where a user logged in, and can be revoked individually or all at once.

List Sessions

Section titled “List Sessions”
sessions = await auth.get_sessions(user_id, active_only=True)

for session in sessions:
    print(session.id)          # UUID
    print(session.user_agent)  # "Mozilla/5.0 ..."
    print(session.ip_address)  # "192.168.1.1"
    print(session.created_at)  # datetime
    print(session.expires_at)  # datetime
    print(session.revoked)     # bool
sessions = await auth.get_sessions(user_id, active_only=True)

for session in sessions:
    print(session.id)          # UUID
    print(session.user_agent)  # "Mozilla/5.0 ..."
    print(session.ip_address)  # "192.168.1.1"
    print(session.created_at)  # datetime
    print(session.expires_at)  # datetime
    print(session.revoked)     # bool

Set active_only=False to include revoked and expired sessions.

Revoke a Single Session

Section titled “Revoke a Single Session”
revoked = await auth.revoke_session(session_id)
# True if found and revoked, False if not found
revoked = await auth.revoke_session(session_id)
# True if found and revoked, False if not found

This revokes the refresh token associated with the session. The user’s access token for that session remains valid until it expires (typically 15 minutes).

Revoke All Sessions

Section titled “Revoke All Sessions”
await auth.revoke_all_sessions(user_id)
await auth.revoke_all_sessions(user_id)

This revokes every refresh token for the user and bumps their token version, which invalidates all access tokens immediately.

Keep Current Session

Section titled “Keep Current Session”

The exclude parameter keeps one session alive — useful for “sign out all other devices”:

# Keep current session, revoke all others ("sign out other devices")
await auth.revoke_all_sessions(user_id, exclude=current_session_id)
# Keep current session, revoke all others ("sign out other devices")
await auth.revoke_all_sessions(user_id, exclude=current_session_id)

The session_id is available on the UserResponse from current_user. It comes from the sid claim in the JWT.

Session Metadata

Section titled “Session Metadata”

Sessions capture metadata from the HTTP request at login time:

  • User Agent — the browser or client identifier
  • IP Address — the client’s IP at login

This data is recorded when the refresh token is created and doesn’t change for the life of the session.

Events

Section titled “Events”

Emits session_revoked events. See Events & Hooks for all events and their payloads.