Skip to main content
Which frontend SDK do you use?
supertokens-web-js / mobile
supertokens-auth-react

Revoking a session

Online mode#

This is applicable when the user is online and you want to revoke their session via an API call from their frontend client.

Method 1: Call the signOut function from the frontend#

The signOut method revokes the session on the frontend and backend.

import React from "react";
import { signOut } from "supertokens-auth-react/recipe/passwordless";

function NavBar() {
async function onLogout() {
await signOut();
window.location.href = "/";
}
return (
<ul>
<li>Home</li>
<li onClick={onLogout}>Logout</li>

</ul>
)
}

Method 2: Call the revokeSession function post session verification on the backend#

import express from "express";
import { verifySession } from "supertokens-node/recipe/session/framework/express";
import { SessionRequest } from "supertokens-node/framework/express";

let app = express();

app.post("/someapi", verifySession(), async (req: SessionRequest, res) => {

// This will delete the session from the db and from the frontend (cookies)
await req.session!.revokeSession();

res.send("Success! User session revoked");
});

Offline mode#

caution

This method of revoking a session will only delete the session from the database and not from the frontend.

This implies that the user will still be able to access protected endpoints while their access token is alive.

If you want to instantly logout the user in this mode, you should enable access token blacklisting.

This is applicable when the user is offline, or if you want to revoke their session from the backend.

Method 1: Revoke a session using its sessionHandle#

import Session from "supertokens-node/recipe/session";

async function revokeSession(sessionHandle: string) {
let revoked = await Session.revokeSession(sessionHandle);
};

You can fetch all of the sessionHandles for a user using the getAllSessionHandlesForUser function

Method 2: Revoke all sessions for a user#

import express from "express";
import Session from "supertokens-node/recipe/session";

let app = express();

app.use("/revoke-all-user-sessions", async (req, res) => {

let userId = req.body.userId
await Session.revokeAllSessionsForUser(userId);

res.send("Success! All user sessions have been revoked");
});