Skip to main content

Sessions and security

Review active sessions, revoke access safely, and understand the template's account security boundaries.

SectionAccount / Security
PurposeAccount security how-to
UpdatedJul 6, 2026
AuthorTemplate Maintainers
Versionv1.2.0
Reading time2 min

Sessions and security

The security page helps users review active sessions and revoke access without exposing raw session tokens in the browser.

Review sessions

Open /user/security to see session metadata such as device, location, and timestamps. The current session is clearly separated from other sessions.

The page is intentionally limited to safe identifiers. Secret session tokens are resolved and handled on the server.

Revoke one session

Use the row action for a session that is not the current one. The server resolves the token for the selected session and revokes it.

The current session cannot be revoked through the single-session action. This prevents a confusing "revoke the page you are using" flow.

Revoke all other sessions

Use the bulk revoke action to sign out every other active session while preserving the current one. This is useful after password, provider, or device concerns.

Security expectations

Protected account actions ignore forged client identity and always load the authenticated session on the server. Product features built on top of the template should follow the same protected-action pattern.