Skip to main content

Revoking a session

Method 1: Revoking by creating your own API.#

important

We provide a default sign out API that does something very similar to the code below. So please have a look at that page first.

let { verifySession } = require("supertokens-node/recipe/session/framework/express");
app.post("/logout", verifySession(), async (req, res) => {
    // This will delete the session from the db and from the frontend (cookies)    await req.session.revokeSession();
    res.send("Success! User session revoked");});
tip

When calling this API from the frontend, please be sure to treat a 401 response as successful. The reason is that 401 means the session has expired, which is equivalent to a successful logout.

Method 2: Revoking a session using a sessionHandle.#

caution

This and the remaining methods below will only delete the session from the db and not from the frontend.

This implies that the user will still be able to access protected endpoints while their access token is alive (unless you enable access token blacklisting).

let supertokens = require("supertokens-node");let Session = require("supertokens-node/recipe/session");
app.use("/revoke-user-session", async (req, res) => {
    let sessionHandle = req.body.sessionHandle
    // sessionHandle is a string[]    await Session.revokeSession(sessionHandle); 
    res.send("Success! User session revoked");});

Method 3: Revoking multiple sessions using an array of sessionHandle.#

let supertokens = require("supertokens-node");let Session = require("supertokens-node/recipe/session");
app.use("/revoke-multiple-sessions", async (req, res) => {
    let sessionHandles = req.body.sessionHandles    await Session.revokeMultipleSessions(sessionHandles);
    res.send("Success! All user sessions have been revoked");});

Method 4: Revoking all sessions for a userId.#

let supertokens = require("supertokens-node");let Session = require("supertokens-node/recipe/session");
app.use("/revoke-all-user-sessions", async (req, res) => {
    let userId = req.body.userId    await Session.revokeAllSessionsForUser(userId); 
    res.send("Success! All user sessions have been revoked");});

Access token blacklisting#

Once this feature is enabled, each session verification attempt will result in a database call. This will make sure that if session revocation has taken place, access tokens on the front end will be invalidated.

caution

On enabling this feature there will be a database call for each session verification attempt. This may slow down all of your API calls.

In the session revocation APIs defined in Method 2, Method 3 and Method 4, if the access token blacklisting feature is enabled, the access token which remains on the frontend does not matter as each session verification attempt will now require a database call.

You can enable this feature by setting the value in the core config:

 docker run \    -p 3567:3567 \    -e ACCESS_TOKEN_BLACKLISTING=true \     -d registry.supertokens.io/supertokens/supertokens-<db_name>
info

For managed service, this values can be updated by visiting our dashboard.