docs
  1. SCAYLE Resource Center
  2. Authentication & Accounts
  3. Handling sessions

Handling sessions

Optionally, you can build a UI in the storefront frontend where the customer can see all their active sessions from their different devices. The customer is then also able to terminate sessions on other devices.

List Active Sessions

To receive a list of all active sessions/access tokens, use this endpoint:

GET https://{{tenant-space}}.auth.scayle.cloud/v1/oauth/tokens

For this endpoint, please add the Authorization header: Authorization: Bearer {access_token}.

The response looks as follows:

[
  {
    "id": "0100cc93812b9eb969e43643a2a63dd81a7c652d49745122d67acfcfee809c6527fccf5f88f6328a",
    "ip": "172.18.0.1",
    "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36",
    "created_at": "2023-03-01 14:07:15",
    "updated_at": "2023-03-01 14:07:15",
    "expires_at": "2023-04-01T14:07:15.000000Z"
  },
  {
    "id": "f170861f44987a12d2991f48714de614a4cc1866326f16c582f4fd106907f36557542ab9c1bceb5a",
    "ip": "172.18.0.1",
    "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36",
    "created_at": "2023-03-01 14:21:10",
    "updated_at": "2023-03-01 14:21:10",
    "expires_at": "2023-04-01T14:21:10.000000Z"
  }
]

The included creation timestamp as well as the User Agent can be used to display information to the customer that helps them identify their different devices/sessions.

Refer to the Authentication API Specification for further insights on this endpoint.

Terminate Session / Revoke Access Token

To terminate one of the sessions and revoke one of the access tokens, you can use this endpoint:

curl -X DELETE "https://{{tenant-space}}.auth.scayle.cloud/v1/oauth/tokens/{{accessTokenId}}" \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer {{accessToken}}' \
--header 'X-Shop-Id: your-shop-id'

For this endpoint, please add the Authorization header: Authorization: Bearer {access_token}.

The Access Token ID is not the same as the Access Token itself. If you want to revoke a token you received from the login or register endpoints, you can get the Access Token ID by decoding the Access Token's JWT payload and extract the jti property, which is the ID.

Refer to the Checkout Authentication API for further information.