Sessions API

Manage user sessions and devices.

Endpoints

GET/v1/admin/sessions

List all active sessions

DELETE/v1/admin/sessions/:id

Revoke a specific session

GET/v1/admin/users/:id/sessions

List sessions for a user

DELETE/v1/admin/users/:id/sessions

Revoke all sessions for a user

Session Object

{
  "id": "sess_abc123",
  "userId": "user_xyz789",
  "device": {
    "id": "dev_123",
    "name": "Chrome on MacOS",
    "type": "browser",
    "fingerprint": "abc..."
  },
  "ip": "192.168.1.1",
  "location": {
    "country": "US",
    "city": "San Francisco"
  },
  "createdAt": "2026-01-25T10:00:00Z",
  "lastActiveAt": "2026-01-25T12:00:00Z",
  "expiresAt": "2026-02-01T10:00:00Z"
}

Device Fingerprinting

Zalt uses device fingerprinting with 70% fuzzy matching to detect session hijacking attempts.

When a session is used from a device that doesn't match the original fingerprint, the session is flagged and the user may be required to re-authenticate.