🚧 FastCMS is under active development — not ready for production use. APIs and features may change without notice.
FastCMS
Advanced

Session Management

List, inspect, and revoke active user sessions. Each login creates a tracked session — revoke individual devices or log out all at once.

Session Management

FastCMS tracks every login as a session tied to a refresh token. You can list active sessions, revoke individual ones, or log out all devices at once — useful for security incident response or "sign out everywhere" UX.

How Sessions Work

When a user logs in, FastCMS creates a refresh token that acts as the session record. The token stores:

  • User agent — browser or client identifier
  • IP address — where the login originated
  • Created / expires — when the session was created and when it expires

Revoking a session marks the refresh token as revoked. The access token (short-lived JWT) remains valid until it expires (~15 minutes by default), but the next token refresh attempt will fail.

API Reference

All session endpoints require a valid Authorization: Bearer <access_token> header.

List Active Sessions

GET /api/v1/auth/sessions
Authorization: Bearer <access_token>

Response:

{
  "sessions": [
    {
      "id": "550e8400-e29b-41d4-a716-446655440000",
      "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)...",
      "ip_address": "203.0.113.42",
      "created": "2026-03-01T10:00:00Z",
      "expires_at": "2026-04-01T10:00:00Z"
    }
  ]
}

Revoke a Session

DELETE /api/v1/auth/sessions/{session_id}
Authorization: Bearer <access_token>

Returns 204 No Content on success, 404 Not Found if the session doesn't exist or belongs to another user.

Log Out All Devices

POST /api/v1/auth/logout-all
Authorization: Bearer <access_token>

Returns 200 OK or 204 No Content. Invalidates all refresh tokens for the current user by rotating the internal token_key. Existing access tokens remain valid until they expire.

Admin UI

Visit /admin/sessions to view and revoke sessions for any user (admin only).

The sessions page shows:

  • Active sessions with device info and IP address
  • Relative timestamps ("2 hours ago")
  • One-click revoke per session
  • "Logout All Devices" button at the top

SDK Usage

TypeScript

const sdk = new FastCMS('http://localhost:8000');
await sdk.auth.login('user@example.com', 'password');

// List sessions
const { sessions } = await sdk.auth.getSessions();

// Revoke a specific session
await sdk.auth.revokeSession(sessions[0].id);

// Log out everywhere
await sdk.auth.logoutAll();

Python

from fastcms import FastCMS

sdk = FastCMS('http://localhost:8000')
sdk.auth.login('user@example.com', 'password')

sessions = sdk.auth.get_sessions()
sdk.auth.revoke_session(sessions[0]['id'])
sdk.auth.logout_all()

Security Notes

  • Only the session owner can revoke their own sessions via the API. Admins can revoke any session from the Admin UI.
  • logout-all rotates the token_key stored on the user record. All refresh tokens become invalid immediately; new logins generate fresh tokens with the new key.
  • Access tokens are JWTs — stateless and not revocable. Plan your access token TTL accordingly (default: 15 minutes).

Admin Tools

Advanced admin endpoints for user impersonation, account lock management, collection maintenance, and cron job control.

IP Allowlist / Blocklist

Block or allow specific IP addresses and CIDR ranges. Requires IP_FILTER_ENABLED=true in your environment.

On this page

Session ManagementHow Sessions WorkAPI ReferenceList Active SessionsRevoke a SessionLog Out All DevicesAdmin UISDK UsageTypeScriptPythonSecurity Notes