Get Active Sessions
GET
/web/v1/system/security/sessions JWTRequired Gateway Headers
All API requests require gateway headers. See Required Headers for the complete list. In local/test environments, you must also include Cloudflare simulation headers (CF-Connecting-IP, Cf-Ray, cf-ipcountry).
Retrieves all active login sessions for the authenticated user. The current session is marked with isCurrent: true.
Required Headers
| Header | Example Value | Description |
|---|---|---|
| Content-Type | application/json | Request content type |
| Accept | application/json | Expected response type |
| X-Client-Hash | Client device fingerprint | |
| Accept-Language | en, zh, zh-Hant, ja, vi | Response language (default: en) |
| Authorization | Bearer | JWT access token |
Request Parameters
No request parameters required.
Request Example
No request body required.
Success Response
Success 200
{
"version": "2.0.0",
"timestamp": 1709337600000,
"success": true,
"code": "2000",
"message": "SUCCESS",
"data": [
{
"sessionId": "SESS...C_001",
"deviceInfo": "Windows 10 - Chrome 120",
"ipAddress": "127.0.0.10",
"location": "San Francisco, CA, US",
"createdAt": "2026-03-23T10:00:00Z",
"lastActiveAt": "2026-03-23T12:30:00Z",
"isCurrent": true,
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"
},
{
"sessionId": "SESS...R_001",
"deviceInfo": "macOS 10.15 - Safari 17",
"ipAddress": "127.0.0.11",
"location": null,
"createdAt": "2026-03-23T09:00:00Z",
"lastActiveAt": "2026-03-23T11:45:00Z",
"isCurrent": false,
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15"
}
]
}| Field | Type | Description |
|---|---|---|
sessionId | string | Session identifier (masked for security, e.g. "SESS...C_001") |
deviceInfo | string | Human-readable device/browser summary (e.g. "Windows 10 - Chrome 120") |
ipAddress | string | Client IP address |
location | string or null | Geo-location derived from IP (e.g. "San Francisco, CA, US"), null if unavailable |
createdAt | string (ISO 8601) | When the session was created |
lastActiveAt | string (ISO 8601) | Last activity timestamp |
isCurrent | boolean | true if this is the session making the request |
userAgent | string | Raw User-Agent string from the client |
Error Responses
Unauthorized 401
{
"success": false,
"code": "4010",
"message": "Invalid or expired token"
}Notes
- Session IDs are masked (first 4 chars +
...+ last 4 chars) for security. The full session ID is never exposed. - The
isCurrentfield indicates whether each session is the one making this request. deviceInfois a server-parsed summary of theuserAgentstring for display purposes.locationis derived from IP geolocation and may benullif the IP cannot be resolved.- Sessions are registered upon login and include IP, User-Agent, and device metadata.