Handling Sessions
Optionally, you can build a UI in the storefront frontend where the customer can see all their active sessions from their different devices. The customer is then also able to terminate sessions on other devices.
List Active Sessions
To receive a list of all active sessions/access tokens, use this endpoint:
GET https://{{tenant-space}}.auth.scayle.cloud/v1/oauth/tokens
For this endpoint, please add the Authorization header: Authorization: Bearer {access_token}
.
The response looks as follows:
[
{
"id": "0100cc93812b9eb969e43643a2a63dd81a7c652d49745122d67acfcfee809c6527fccf5f88f6328a",
"ip": "172.18.0.1",
"user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36",
"created_at": "2023-03-01 14:07:15",
"updated_at": "2023-03-01 14:07:15",
"expires_at": "2023-04-01T14:07:15.000000Z"
},
{
"id": "f170861f44987a12d2991f48714de614a4cc1866326f16c582f4fd106907f36557542ab9c1bceb5a",
"ip": "172.18.0.1",
"user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36",
"created_at": "2023-03-01 14:21:10",
"updated_at": "2023-03-01 14:21:10",
"expires_at": "2023-04-01T14:21:10.000000Z"
}
]
The included creation timestamp as well as the User Agent can be used to display information to the customer that helps them identify their different devices/sessions.
Refer to the Authentication API Specification for further insights on this endpoint.
Terminate Session / Revoke Access Token
To terminate one of the sessions and revoke one of the access tokens, you can use this endpoint:
curl -X DELETE "https://{{tenant-space}}.auth.scayle.cloud/v1/oauth/tokens/{{accessTokenId}}" \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer {{accessToken}}' \
--header 'X-Shop-Id: your-shop-id'
For this endpoint, please add the Authorization header: Authorization: Bearer {access_token}
.
The Access Token ID is not the same as the Access Token itself. If you want to revoke a token you received from the login or register endpoints, you can get the Access Token ID by decoding the Access Token's JWT payload and extract the jti
property, which is the ID.
Refer to the Authentication API Specification for further information.