Auth0 uses sessions to maintain the authentication state of a user across requests.
The Auth0 Management API session management endpoints are available to customers on Enterprise plans. To learn more, read Pricing.

Management API endpoints

The Management API provides out-of-band access to the internals of user sessions in the Auth0 Session Layer, and deletion methods to force session termination.

Session resource

You can view or delete a specific session with the following endpoints:
NameURLRequired scope(s)
Introspect a specific session by IDGET /api/v2/sessions/read:sessions
Delete a specific session by IDDELETE /api/v2/sessions/delete:sessions

User resource

You can list or delete all sessions for a given user with the following endpoints:
NameURLRequired scope(s)
List sessions details of a userGET /api/v2/users//sessionsread:sessions
Delete all user sessionsDELETE /api/v2/users//sessionsdelete:sessions

Session properties

The session endpoints return relevant information about the session and its history.
FieldDescription
Session IDThe session ID is a persistent identifier of the session in the Auth0 tenant.

Note that the session ID corresponds to the sid claim already in ID Tokens and Logout Tokens and can be used to cross-reference these entities.
Relevant TimeSession creation, authentication time, and expiry information.
Device InformationThe device property traces details related to the user agent (for example, browser) used in the interactions with this Auth0 session.
Authentication InformationContains summary information about the methods used to authenticate in this session.
For detailed information about these fields, refer to the Management API documentation.

OIDC Back-Channel Logout Initiators

Session deletion events are connected to OIDC Back-Channel Logout through the session-deleted initiator. To learn more, read OIDC Back-Channel Logout Initiators.

Sessions and refresh tokens

Sessions and collaborate to reduce the friction of user authentication while optimizing security. To learn more, read Best Practices for Application Session Management on Auth0 Blog. Refresh tokens can remain active after a session has expired or been deleted, or after the user logs out. You can use the to manage refresh tokens independently or in collaboration with sessions.

Limitations

Delete session operations run asynchronously, and are eventually consistent.

Learn more