Skip to main content
Which UI do you use?
Custom UI
Pre built UI

Revoking a session

Online mode#

This is applicable when the user is online and you want to revoke their session via an API call from their frontend client.

Method 1: Call the signOut function from the frontend#

The signOut method revokes the session on the frontend and backend.

import React from "react";
import { signOut } from "supertokens-auth-react/recipe/thirdpartyemailpassword";

function NavBar() {
async function onLogout() {
await signOut();
window.location.href = "/";
}
return (
<ul>
<li>Home</li>
<li onClick={onLogout}>Logout</li>

</ul>
)
}

Method 2: Call the revokeSession function post session verification on the backend#

import express from "express";
import { verifySession } from "supertokens-node/recipe/session/framework/express";
import { SessionRequest } from "supertokens-node/framework/express";

let app = express();

app.post("/someapi", verifySession(), async (req: SessionRequest, res) => {

// This will delete the session from the db and from the frontend (cookies)
await req.session!.revokeSession();

res.send("Success! User session revoked");
});

Offline mode#

caution

This method of revoking a session will only delete the session from the database and not from the frontend.

This implies that the user will still be able to access protected endpoints while their access token is alive.

If you want to instantly logout the user in this mode, you should enable access token blacklisting.

This is applicable when the user is offline, or if you want to revoke their session from the backend.

Method 1: Revoke a session using its sessionHandle#

import Session from "supertokens-node/recipe/session";

async function revokeSession(sessionHandle: string) {
let revoked = await Session.revokeSession(sessionHandle);
};

You can fetch all of the sessionHandles for a user using the getAllSessionHandlesForUser function

Method 2: Revoke all sessions for a user#

import express from "express";
import Session from "supertokens-node/recipe/session";

let app = express();

app.use("/revoke-all-user-sessions", async (req, res) => {

let userId = req.body.userId
await Session.revokeAllSessionsForUser(userId);

res.send("Success! All user sessions have been revoked");
});
Multi Tenancy

By default, revokeAllSessionsForUser will delete all the sessions for the user across all the tenants. If you want to delete the sessions for a user in a specific tenant, you can pass the tenant ID as a parameter to the function call.