How to revoke sessions and sign users out everywhere with the WorkOS Sessions API

The WorkOS Sessions API gives developers full control over user sessions. With just a few API calls, you can now:

• List all active sessions for a user
• Revoke individual sessions

This makes it straightforward to build features like “sign out everywhere”, enforce stricter password reset flows, and quickly lock down accounts under threat.

Why session revocation matters

In most apps today, users are logged in on multiple devices at once: a laptop at work, a phone on the go, maybe even a tablet or shared family computer. At the same time, sessions are often backed by long-lived tokens so users don’t have to log in every day.

While convenient, this creates risk: if a device is stolen, an employee leaves the company, or credentials are exposed in a breach, those sessions can stay active for weeks or months unless you have a way to revoke them.

The WorkOS Sessions API solves this by letting you see all active sessions for a user and end them instantly. For example:

• After a password reset, revoke all existing sessions so no old devices remain logged in.
• When suspicious activity is detected (like logins from two continents within minutes), revoke just the risky session while leaving others untouched.
• Offer a “sign out everywhere” button so users can take action themselves—a feature now expected in enterprise-grade SaaS products like Slack or Google Workspace.
• Support operations teams, who can revoke a user’s sessions directly if they leave the organization or lose access rights.

Instead of waiting for sessions to expire on their own, you have precise control, improving both security and user trust.

Getting started with the Sessions API

Prerequisites

To use the Sessions API you will need a WorkOS account and an app with AuthKit enabled, along with your API credentials (which you can get from the Dashboard).

For the examples in this article, we use the Node.js SDK.

List a user’s active sessions

Use the List Sessions endpoint to fetch all active sessions for a user.

Node.js example:

	
import { WorkOS } from '@workos-inc/node';

const workos = new WorkOS('WORKOS_API_KEY');

const sessions = await workos.userManagement.listSessions(
  'user_01E4ZCR3C56J083X43JQXF3JK5',
);
	

Response:

	
{
  "object": "list",
  "data": [
    {
      "object": "session",
      "id": "session_01E4ZCR3C56J083X43JQXF3JK5",
      "user_id": "user_01E4ZCR3C56J083X43JQXF3JK5",
      "organization_id": "org_01E4ZCR3C56J083X43JQXF3JK5",
      "status": "active",
      "auth_method": "password",
      "ip_address": "192.168.1.1",
      "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36",
      "expires_at": "2025-07-23T15:00:00.000Z",
      "ended_at": null,
      "created_at": "2025-07-23T14:00:00.000Z",
      "updated_at": "2025-07-23T14:00:00.000Z"
    }
  ],
  "list_metadata": {
    "before": null,
    "after": null
  }
}
	

This gives you a detailed view of where a user is logged in, when the session was last active, and useful metadata like IP address and device information.

Revoke a session by ID

To revoke a single session (for example, if one device looks suspicious), you can use the Revoke Session endpoint:

	
import { WorkOS } from '@workos-inc/node';

const workos = new WorkOS('WORKOS_API_KEY');

await workos.userManagement.revokeSession({
  sessionId: 'session_01E4ZCR3C56J083X43JQXF3JK5',
});
	

Building “Sign out everywhere”

Because each device a user signs in from creates its own session, you’ll often see multiple sessions for the same user, each with distinct ip_address, user_agent, and expires_at values. To truly sign a user out everywhere, you need to:

1. List all active sessions for the user.
2. Revoke each session by ID.
3. Clear the local session on the device that initiated the sign-out.
4. Handle invalid sessions gracefully on other devices: when they next make an API request, WorkOS will reject the revoked session, and your app should clear local state and redirect to login. Alternatively, you can use the session.revoked event that WorkOS emits whenever a user session is revoked in order to notify other devices (using the Events API or webhooks).

Here’s what a flow like that looks like in Node.js:

	
import { WorkOS } from '@workos-inc/node';

const workos = new WorkOS('WORKOS_API_KEY');

async function signOutEverywhere(userId, localClearFn) {
  // 1. Get all active sessions for this user
  const sessions = await workos.userManagement.listSessions(userId);

  // 2. Revoke each session by ID
  for (const session of sessions.data) {
    await workos.userManagement.revokeSession({
      sessionId: session.id,
    });
    console.log(`Revoked session ${session.id} (${session.metadata.user_agent}, ${session.metadata.ip_address})`);
  }

  // 3. Clear the local session on the initiating device
  localClearFn();
}
	

With this flow:

1. You fetch all active sessions using listSessions.
2. You iterate over the session IDs and call revokeSession on each one.
3. You clear the local session with localClearFn.

On other devices, when a revoked session tries to call your API, it will fail with an “invalid session” error. At that point, you should:

• Remove any local session tokens or cookies.
• Redirect the user back to your login page.

The result is a true “sign out everywhere” implementation that ensures no device or session remains valid.

This pattern ensures that after a password reset (or when a user clicks “sign out everywhere”), all of their active sessions across devices are terminated.

Best practices & implementation tips

• Password resets: Always revoke all existing sessions when a password is changed.
• Suspicious activity: Pair session metadata (IP, device, last active time) with heuristics to selectively revoke risky sessions.
• User empowerment: Provide a UI where users can see and revoke their own sessions, just like Google or Facebook.
• Graceful handling: After revocation, make sure your app properly redirects users with invalid tokens back to a login flow.

Get started with the Sessions API

Whether you’re tightening password reset flows, adding user-facing “sign out everywhere” functionality, or building admin-level security controls, the Sessions API gives you everything you need to manage sessions with enterprise-grade precision.

Head to the documentation to get started with the WorkOS Sessions API today.