Sessions & Logout

The platform supports per-device sessions, so a customer can see where they are signed in and selectively log out individual devices or all devices at once. This is a security primitive — use logoutAllDevices when the customer thinks their account may be compromised.

Listing active sessions

Each session has an opaque id (safe to display — it is not the auth token), the user agent, the country it was opened from, when it was created and when it expires. isCurrent flags the session making the request so the UI can highlight it.

query ActiveSessions {
  customer {
    activeSessions {
      id
      loginMethod
      country
      userAgent
      createdAt
      expiresAt
      isCurrent
      expired
    }
  }
}

Logging out

Logs out only the current session. For web clients the auth cookie is cleared automatically.

mutation Logout {
  logout
}

Logging out a specific session

Use activeSessions to populate a session-management UI, then pass the chosen session id. Returns false if the session doesn’t exist (for example because it has already expired).

mutation LogoutSession {
  logoutSession(sessionId: "sess_abc123")
}

Logging out everywhere

Invalidates every session for the user, including the current one. The user will have to log in again on all devices.

mutation LogoutAllDevices {
  logoutAllDevices
}

Customer Services impersonation

Customer Services agents can log in as a customer using a token obtained through internal tooling. The mutation returns the standard AuthenticationResponse and is rate limited per agent.

mutation ImpersonateLogin {
  impersonateLogin(impersonationToken: "imp_abc123...") {
    error
    customer {
      fullName
      email
    }
  }
}