BIO.RE
Authentication

Revoke Single Session

Revoke a specific session by ID. Use the session ID from /auth/sessions. Cannot revoke the current session — use logout for that.

DELETE /api/v1/auth/sessions/{id} — 🔑 User-auth (Bearer JWT) · Rate limit: 20 req / hour

Revokes a specific session. The user's other devices using that session lose access immediately (their refresh tokens are killed; access tokens expire within 15 min). Cannot revoke the current session — that requires /auth/logout.

Attempting to revoke the session that owns the requesting refresh token returns 400 cannot_revoke_current_session. Use /auth/logout instead — semantic separation.

Request

Headers

HeaderValueNotes
AuthorizationBearer <accessToken>Required
Cookie: biore_refresh=...(auto)Used to detect "current session" guard

Path parameters

ParamTypeValidationNotes
idstring (UUID)ParseUUIDPipeSession ID from GET /auth/sessions

No body, no query.

Response

200 OKSuccessOnlyResponseDto

{ "success": true }

Errors

HTTPcode / i18nKeyReason
400auth.sessions.cannot_revoke_currentThe session ID matches the requesting refresh token — use /auth/logout instead
400(UUID validation)id is not a valid UUID
401(no JWT or invalid)Not authenticated
404auth.sessions.not_foundSession does not exist OR does not belong to current user
429(throttle)Rate limit exceeded (20 req/hour)

Side effects

  1. Look up Session by id; verify Session.userId matches the authenticated user.
  2. Verify session ID is NOT the current refresh token's session (anti-foot-shoot).
  3. Mark Session.revokedAt = now().
  4. Audit log: auth.sessions.revoke.success.

Code samples

curl -X DELETE https://api.bio.re/api/v1/auth/sessions/a1b2c3d4-e5f6-7890-abcd-ef1234567890 \
  -H 'Authorization: Bearer <accessToken>' \
  -b cookies.txt
async function revokeSession(sessionId: string, accessToken: string): Promise<void> {
  const res = await fetch(`https://api.bio.re/api/v1/auth/sessions/${sessionId}`, {
    method: 'DELETE',
    headers: { 'Authorization': `Bearer ${accessToken}` },
    credentials: 'include',
  });
  const json = await res.json();
  if (!res.ok || !json.success) {
    throw Object.assign(new Error(json?.error?.message ?? 'Revoke failed'), {
      code: json?.error?.code,
    });
  }
}
import { useMutation, useQueryClient } from '@tanstack/react-query';
import { sessionKeys } from './use-sessions';

export function useRevokeSession() {
  const qc = useQueryClient();
  return useMutation({
    mutationFn: async (sessionId: string) => {
      const res = await fetch(`/api/v1/auth/sessions/${sessionId}`, {
        method: 'DELETE',
        credentials: 'include',
        headers: { 'Authorization': `Bearer ${getAccessToken()}` },
      });
      const json = await res.json();
      if (!res.ok || !json.success) {
        throw Object.assign(new Error(json?.error?.message ?? 'Revoke failed'), {
          code: json?.error?.code,
        });
      }
    },
    onSuccess: () => {
      qc.invalidateQueries({ queryKey: sessionKeys.all });
    },
  });
}

Try it

DELETE
/api/v1/auth/sessions/{id}

Authorization

bearer
AuthorizationBearer <token>

In: header

Path Parameters

id*string

Response Body

application/json

application/json

application/json

application/json

curl -X DELETE "https://loading/api/v1/auth/sessions/string"
{
  "success": true
}
{
  "success": false,
  "error": {
    "code": "AUTH_UNAUTHORIZED",
    "message": "Invalid credentials",
    "i18nKey": "auth.login.invalid_credentials",
    "i18nVars": {
      "field": "email"
    },
    "details": [
      {
        "message": "email must be an email"
      }
    ],
    "correlationId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
  }
}
{
  "success": false,
  "error": {
    "code": "AUTH_UNAUTHORIZED",
    "message": "Invalid credentials",
    "i18nKey": "auth.login.invalid_credentials",
    "i18nVars": {
      "field": "email"
    },
    "details": [
      {
        "message": "email must be an email"
      }
    ],
    "correlationId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
  }
}
{
  "success": false,
  "error": {
    "code": "AUTH_UNAUTHORIZED",
    "message": "Invalid credentials",
    "i18nKey": "auth.login.invalid_credentials",
    "i18nVars": {
      "field": "email"
    },
    "details": [
      {
        "message": "email must be an email"
      }
    ],
    "correlationId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
  }
}

Source

SourcePathLines
Controllerapps/api-core/src/modules/auth/auth.controller.ts260–280 (revokeSession)
Serviceapps/api-core/src/modules/auth/auth.service.tsrevokeSession()
Prisma modelpackages/prisma/prisma/schema.prismaSession.revokedAt

List Active Sessions

Get the list of active sessions for the current authenticated user, with device + masked IP + isCurrent flag.

Revoke All Other Sessions

Revoke every session except the one making the request. Use this for "Sign out all other devices" UI.

On this page

RequestHeadersPath parametersResponse200 OKSuccessOnlyResponseDtoErrorsSide effectsCode samplesTry itSource