Get Sessions Config
GET
/web/v1/system/security/sessions/config JWTRequired Gateway Headers
All API requests require gateway headers. See Required Headers for the complete list. In local/test environments, you must also include Cloudflare simulation headers (CF-Connecting-IP, Cf-Ray, cf-ipcountry).
Retrieves the authenticated user's session security configuration including concurrent session limits, timeout settings, MFA requirements, and notification preferences.
Required Headers
| Header | Example Value | Description |
|---|---|---|
| Content-Type | application/json | Request content type |
| Accept | application/json | Expected response type |
| X-Client-Hash | Client device fingerprint | |
| Accept-Language | en, zh, zh-Hant, ja, vi | Response language (default: en) |
| Authorization | Bearer | JWT access token |
| X-SC-Session-Id | Secure channel session ID |
Request Parameters
No request parameters required.
Request Example
No request body required.
Success Response
Success 200
{
"version": "2.0.0",
"timestamp": 1709337600000,
"success": true,
"code": "2000",
"message": "SUCCESS",
"data": {
"maxConcurrentSessions": 3,
"sessionTimeout": 86400,
"inactivityTimeout": 1800,
"requireMfaOnNewDevice": true,
"trustedDeviceExpiry": 2592000,
"loginNotification": true,
"ipLockEnabled": false
}
}| Field | Type | Description |
|---|---|---|
maxConcurrentSessions | integer | Maximum number of concurrent sessions allowed |
sessionTimeout | integer | Absolute session lifetime in seconds (e.g. 86400 = 24 hours) |
inactivityTimeout | integer | Session inactivity timeout in seconds (e.g. 1800 = 30 minutes) |
requireMfaOnNewDevice | boolean | Whether MFA is required when logging in from a new/untrusted device |
trustedDeviceExpiry | integer | Duration in seconds before a trusted device must re-verify (e.g. 2592000 = 30 days) |
loginNotification | boolean | Whether the user receives notifications on new logins |
ipLockEnabled | boolean | Whether sessions are locked to the originating IP address |
Error Responses
Unauthorized 401
{
"success": false,
"code": "4010",
"message": "Invalid or expired token"
}Notes
- All timeout values are in seconds.
requireMfaOnNewDeviceworks in conjunction with the user's configured MFA methods (see List MFA Methods).ipLockEnabledis separate from IP whitelist enforcement — see Get IP Whitelist for whitelist configuration.- Use Update Sessions Config to modify these settings.