Update Sessions Config
POST
/web/v1/system/security/sessions/config JWTRequired Gateway Headers
All API requests require gateway headers. See Required Headers for the complete list. In local/test environments, you must also include Cloudflare simulation headers (CF-Connecting-IP, Cf-Ray, cf-ipcountry).
Updates the authenticated user's session configuration. Supports partial updates (patch semantics) — null fields are treated as no-op.
Required Headers
| Header | Example Value | Description |
|---|---|---|
| Content-Type | application/json | Request content type |
| Accept | application/json | Expected response type |
| X-Client-Hash | Client device fingerprint | |
| Accept-Language | en, zh, zh-Hant, ja, vi | Response language (default: en) |
| Authorization | Bearer | JWT access token |
| X-SC-Session-Id | Secure channel session ID |
Request Parameters
| Name | Type | Required | In | Description |
|---|---|---|---|---|
request | SessionConfigUpdateRequest | Required | body | Raw request body (encrypted via SecureChannel, auto-decrypted by the server) |
maxConcurrentSessions | Integer | Optional | body | Maximum number of concurrent sessions allowed |
sessionTimeout | Integer | Optional | body | Absolute session lifetime in seconds |
inactivityTimeout | Integer | Optional | body | Session inactivity timeout in seconds |
requireMfaOnNewDevice | Boolean | Optional | body | Whether MFA is required on new/untrusted devices |
trustedDeviceExpiry | Integer | Optional | body | Trusted device expiry duration in seconds |
loginNotification | Boolean | Optional | body | Whether to send login notifications |
ipLockEnabled | Boolean | Optional | body | Whether to lock sessions to originating IP |
Request Example
json
{
"maxConcurrentSessions": 3,
"sessionTimeout": 86400,
"inactivityTimeout": 1800,
"requireMfaOnNewDevice": true,
"loginNotification": true
}Success Response
Success 200
{
"version": "2.0.0",
"timestamp": 1709337600000,
"success": true,
"code": "2000",
"message": "SUCCESS",
"data": {
"maxConcurrentSessions": 3,
"sessionTimeout": 86400,
"inactivityTimeout": 1800,
"requireMfaOnNewDevice": true,
"trustedDeviceExpiry": 2592000,
"loginNotification": true,
"ipLockEnabled": false
}
}| Field | Type | Description |
|---|---|---|
maxConcurrentSessions | integer | Maximum number of concurrent sessions allowed |
sessionTimeout | integer | Absolute session lifetime in seconds |
inactivityTimeout | integer | Session inactivity timeout in seconds |
requireMfaOnNewDevice | boolean | Whether MFA is required on new/untrusted devices |
trustedDeviceExpiry | integer | Trusted device expiry duration in seconds |
loginNotification | boolean | Whether login notifications are enabled |
ipLockEnabled | boolean | Whether sessions are locked to originating IP |
Error Responses
Unauthorized 401
{
"success": false,
"code": "4010",
"message": "Invalid or expired token"
}Notes
- All fields are optional — null fields are ignored (patch semantics), so you can update only one field at a time.
- All timeout values are in seconds.
- The response returns the full updated configuration — see Get Sessions Config for field descriptions.