Learn how to manage user sessions.
X-Auth-Token
response header.
X-Auth-Token
header and used to set a cookie (name: hanko
) on the client-side. If you use neither Hanko
Elements nor the SDK, you have to take care of storing the session token yourself.Cookie
header or as a Bearer
token in the Authorization
header (Authorization: Bearer <JWT>
).
Upon session creation, a unique identifier is generated and stored in the database, linked to the corresponding user.
This identifier is also included in the session JWT under the session_id
claim. For subsequent requests, the API
validates the JWT signature and uses the session_id
to query the database for an active session match. This enables
remote session revocation. As a result, if a user is logged in on one device but has multiple active sessions across
other devices, the API’s Profile flow facilitates the listing and
explicit termination of sessions on those devices. This functionality is also accessible through the UI via the Hanko
Elements’ Profile Component.
sessions/validate
endpoint. Send the session token in the request body for validation of expiry, signature, and session persistence.
The validation response includes session validity status, token expiry information, and associated user claims.
Alternatively, use the Hanko Frontend SDK for session validation. See Using the Frontend SDK for implementation details.
/users/logout
endpoint. Successful logout requests clear session cookies and terminate the associated session.
Settings > Session
Session duration
and click Save
Settings > Session
Session limit
and click Save
Max-Age
attribute of the cookie to the specified
session duration (in seconds). The cookie will be automatically deleted from the browser
once the specified expiry time has been reached.Max-Age
attribute of the cookie to 0, resulting in the cookie being deleted from the
browser when the browser tab or window is closed.Stay signed in
checkbox on the login form which allows users to determine the cookie
retention period: if the checkbox is checked, the cookie will be a Persistent
cookie, if it is unchecked the
cookie will be a Session
cookie.Settings > Session
.Stay signed in (cookie type)
, select the desired type and click Save
.session_delete
action. If you are using
Hanko Elements version 1.3 or later, the Profile component provides interface
elements that allow users to revoke active sessions, excluding the session currently in use.
This session can be revoked manually through a manual logout.
To control self-service session revocation behaviour:
Settings > Session
.Allow session revocation
toggle to allow or disallow end-user session revocation via profile.Profile
flow.
If you use Hanko Elements (+1.3) then information about active sessions is
displayed in the Profile component.
To control whether information about active sessions is returned from the Profile
flow (and shown in Hanko Elements):
Settings > Session
.Show sessions on profile
toggle to include information about active sessions in the profil API response
(and the Hanko Elements profile component).Settings > Session
.Acquire IP address
toggle to include information about the IP (IPv4/IPv6) address used to establish
the session.Acquire user agent
toggle to include information about the user agent used to establish the session.Settings > Session
.Customize session token
section.Save
to apply your changes..User
field, which includes:
.User.UserID
: The user’s unique ID (string).User.Email
: Email details (optional)
.User.Email.Address
: The email address (string).User.Email.IsPrimary
: Indicates if the email is the primary address (boolean).User.Email.IsVerified
: Indicates if the email is verified (boolean).User.Username
: The user’s username (string, optional).User.Metadata
: The user’s public and unsafe metadata (optional)
.User.Metadata.Public
: The user’s public metadata (object).User.Metadata.Unsafe
: The user’s unsafe metadata (object).User.Metadata.Public
and .User.Metadata.Unsafe
can be accessed and queried using
GJSON Path Syntax (try it out in the
playground).
Assume that a user’s public metadata consisted of the following data:
.User.Metadata.Public
and .User.Metadata.Unsafe
are function calls internally and and the given path argument must be a string, so it must be double quoted.
If you use use double quotes for your entire claim template then the path argument must be escaped, i.e.:"{{ .User.Metadata.Public \"display_name\" }}"
sub
iat
exp
aud
iss
email
username
session_id
.
). The JWT payload contains the claims about a user.
aud
will be your App URL
.