Overview
LoginRadius Session APIs provide visibility into user session activity, enabling administrators to monitor and manage login behavior across different devices and locations. These APIs are designed for server-side use and support advanced use cases like session auditing, concurrent session control, and device-level logout.
⚠️ Session APIs return sensitive access token information. Always implement them securely and use them with caution to ensure security.
API Security
LoginRadius Session APIs rely on the LoginRadius API Secret, which holds high-level access permissions. It's crucial that this key remains confidential and is never included in any client-side code.
How to Retrieve Your API Secret:
- Log in to your LoginRadius Console.
- Navigate to Tenant Settings > General > API Configuration.
- Click show (Eye icon) and securely copy the API Secret for backend use.
Key Features and Use Cases
Session Insights
- Retrieve all active sessions for a user across devices and locations.
- Access metadata like IP address, browser, OS, and login timestamp.
Session Management
- Detect concurrent logins and enforce single-session policies.
- Invalidate individual sessions by revoking access tokens.
These APIs are commonly used for:
- Detecting unauthorized or abnormal login behavior.
- Enforcing device/session limits for added security.
- Supporting user-level session visibility in admin dashboards.
- Logging users out from untrusted devices.
Common Session API Endpoints
These endpoints support use cases like validating active sessions, revoking access, enforcing login policies, and monitoring session metadata. For better clarity, the endpoints are grouped by functionality below.
- Token Operations
- Session Details
- Session Management
Manage access tokens and secure one-time tokens (SOTT) for login and registration flows.
| Endpoint | Description |
|---|---|
| Generate SOTT | This API allows you to generate SOTT with a given expiration time. |
| Access Token | This API translates the Request Token generated from a successful OAuth from the social platform into an Access Token that can be used with other API calls. |
| Validate Access Token | This API validates access_token; if valid, it returns a response with its expiry, otherwise an error. |
| Invalidate Access Token | This API invalidates the active access token or expires the access token's validity. |
You can retrieve the current session's device, browser, IP, and login information using an Access Token.
| Endpoint | Description |
|---|---|
| Get Active Session Details | This API is used to get all active sessions through the Access Token. |
Fetch or manage active sessions across devices using UID, profile ID, or both
| Endpoint | Description |
|---|---|
| Active Session By Account ID | Retrieve all active sessions for a user using their UID. |
| Active Session By Profile ID | This API is used to get active login sessions for an account profile. |
| Active Session By Account ID and Profile ID | Retrieve sessions by combining UID and profile identifier for refined control. |
Best Practices
- Session APIs should be called from secure server-side environments.
- Log all access token invalidations for audit purposes.
- Regularly review session activity to detect anomalies.
- Never expose access tokens or API secrets in frontend applications.