Sessions
GET /orgs/{orgId}/api/v1/admin/sessions
DELETE /orgs/{orgId}/api/v1/admin/sessions/{sessionId}
POST /orgs/{orgId}/api/v1/admin/sessions/revoke-all
GET /orgs/{orgId}/api/v1/admin/sessions/stats
GET /orgs/{orgId}/api/v1/admin/sessions/count
GET /orgs/{orgId}/api/v1/admin/users/{userId}/sessions
DELETE /orgs/{orgId}/api/v1/admin/users/{userId}/sessions
POST /orgs/{orgId}/api/v1/admin/users/{userId}/sessions/revoke
GET /orgs/{orgId}/api/v1/admin/tokens
DELETE /orgs/{orgId}/api/v1/admin/tokens/{tokenId}
DELETE /orgs/{orgId}/api/v1/admin/users/{userId}/tokens
POST /orgs/{orgId}/api/v1/admin/users/{userId}/tokens/revoke
DELETE /orgs/{orgId}/api/v1/admin/clients/{clientId}/tokens
POST /orgs/{orgId}/api/v1/admin/clients/{clientId}/tokens/revoke
GET /orgs/{orgId}/api/v1/oauth/check_session
Sessions represent active user logins. Each session tracks when and how a user authenticated, their device, and can be individually revoked for security purposes.
note
All session management endpoints require ROLE_TENANT_ADMIN or a valid admin API key.
Authentication
All session management endpoints require a valid admin API key or a Bearer token issued to a user with settings.manage permission.
Session Object
Session Object
{
"id": "01JF3KSES...",
"userId": "01JF3KUSER...",
"userEmail": "john@acme.com",
"ipAddress": "203.0.113.45",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)...",
"createdAt": "2026-03-01T08:00:00Z",
"lastActivityAt": "2026-03-01T09:30:00Z",
"expiresAt": "2026-03-02T08:00:00Z",
"isActive": true
}
List All Sessions
List Sessions
curl "https://app.lumoauth.dev/orgs/acme-corp/api/v1/admin/sessions?limit=50" \
-H "Authorization: ApiKey lmk_abc123"
Query Parameters
| Parameter | Description |
|---|---|
page | Page number (default: 1) |
limit | Results per page (default: 20, max: 100) |
userId | Filter sessions for a specific user |
isActive | Filter by active status (true/false) |
List User Sessions
List Sessions for a Specific User
curl "https://app.lumoauth.dev/orgs/acme-corp/api/v1/admin/users/01JF3KUSER.../sessions" \
-H "Authorization: ApiKey lmk_abc123"
Session Statistics
Get Statistics
Get Session Statistics
curl "https://app.lumoauth.dev/orgs/acme-corp/api/v1/admin/sessions/stats" \
-H "Authorization: ApiKey lmk_abc123"
Stats Response
{
"data": {
"data": {
"total": 284,
"active": 142,
"inactive": 142
}
}
}
Get Active Session Count
Get Active Session Count
curl "https://app.lumoauth.dev/orgs/acme-corp/api/v1/admin/sessions/count" \
-H "Authorization: ApiKey lmk_abc123"
Count Response
{
"data": {
"data": { "count": 142 }
}
}
Revoke Sessions
Revoke a Single Session
Revoke Single Session
curl -X DELETE \
"https://app.lumoauth.dev/orgs/acme-corp/api/v1/admin/sessions/01JF3KSES..." \
-H "Authorization: ApiKey lmk_abc123"
Revoke All Sessions for a User
Force Logout a User (DELETE)
curl -X DELETE \
"https://app.lumoauth.dev/orgs/acme-corp/api/v1/admin/users/01JF3KUSER.../sessions" \
-H "Authorization: ApiKey lmk_abc123"
Force Logout a User (POST)
curl -X POST \
"https://app.lumoauth.dev/orgs/acme-corp/api/v1/admin/users/01JF3KUSER.../sessions/revoke" \
-H "Authorization: ApiKey lmk_abc123"
Revoke All Organization Sessions
Revokes all active sessions for every user in the organization. Requires explicit confirmation.
Revoke All Sessions (organization-wide)
curl -X POST \
"https://app.lumoauth.dev/orgs/acme-corp/api/v1/admin/sessions/revoke-all" \
-H "Authorization: ApiKey lmk_abc123" \
-H "Content-Type: application/json" \
-d '{"confirm": true}'
warning
This signs out all users in the organization simultaneously. Use with caution.
Token Management
Revoke active access or refresh tokens without terminating the session.
List Active Tokens
List Active Tokens
curl "https://app.lumoauth.dev/orgs/acme-corp/api/v1/admin/tokens?userId=01JF3KUSER..." \
-H "Authorization: ApiKey lmk_abc123"
Revoke a Token
Revoke a Token
curl -X DELETE \
"https://app.lumoauth.dev/orgs/acme-corp/api/v1/admin/tokens/01JF3KTOK..." \
-H "Authorization: ApiKey lmk_abc123"
Revoke All Tokens for a User
Revoke All User Tokens (DELETE)
curl -X DELETE \
"https://app.lumoauth.dev/orgs/acme-corp/api/v1/admin/users/01JF3KUSER.../tokens" \
-H "Authorization: ApiKey lmk_abc123"
Revoke All User Tokens (POST)
curl -X POST \
"https://app.lumoauth.dev/orgs/acme-corp/api/v1/admin/users/01JF3KUSER.../tokens/revoke" \
-H "Authorization: ApiKey lmk_abc123"
Revoke All Tokens for a Client
Revoke All Client Tokens (DELETE)
curl -X DELETE \
"https://app.lumoauth.dev/orgs/acme-corp/api/v1/admin/clients/my-app/tokens" \
-H "Authorization: ApiKey lmk_abc123"
Revoke All Client Tokens (POST)
curl -X POST \
"https://app.lumoauth.dev/orgs/acme-corp/api/v1/admin/clients/my-app/tokens/revoke" \
-H "Authorization: ApiKey lmk_abc123"
OIDC check_session
GET /orgs/{orgId}/api/v1/oauth/check_session
Implements the OpenID Connect Session Management specification. Load this URL in a hidden iframe within your relying party to detect session state changes (e.g., logout in another tab):
check_session iframe (JavaScript)
const iframe = document.createElement("iframe");
iframe.src = "https://app.lumoauth.dev/orgs/acme-corp/api/v1/oauth/check_session";
iframe.style.display = "none";
document.body.appendChild(iframe);
setInterval(() => {
iframe.contentWindow.postMessage(
`${clientId} ${sessionState}`,
"https://app.lumoauth.dev"
);
}, 3000);
window.addEventListener("message", (event) => {
if (event.origin !== "https://app.lumoauth.dev") return;
if (event.data === "changed") {
// Session changed — re-authenticate
}
});
tip
The session_state value is returned in the authorization response. Store it and include it in postMessage calls.