UserSession
Represents an active (or historical) JWT session of the authenticated user. A session is one cookie/JWT pair minted at login, 2FA verify, or the password-change re-issue; each one is anchored to a `jti` embedded in the JWT and recorded in `user_sessions` with its IP/UA and lifetime window. User-facing surface introduced in v1.49.5 (ADR-0089).
Properties
| Field | Type | Description |
|---|---|---|
id * | string (uuid) | Unique session identifier (UUID v7 time-ordered). This is the value the user references in `DELETE /v1/users/me/sessions/{id}`. |
is_current * | boolean | `true` when this session matches the current request (the cookie JWT's `jti` matches). Lets the UI mark "this session" without an extra round-trip. |
ip * | string | null | IP address where the session was minted. `null` when `REMOTE_ADDR` was unavailable at login (misconfigured proxy, headless test, etc.). |
user_agent * | string | null | `User-Agent` header captured when the session was minted. `null` when the client did not send the header. The UI parses it into a readable "browser · OS" label. |
created_at * | string (date-time) | UTC timestamp of session creation (ISO 8601). Equals the moment of the login / 2FA verify / password-change re-issue that minted it. |
last_used_at * | string (date-time) | UTC timestamp of the most recent authenticated request that used this session (best-effort UPDATE on every AuthMiddleware hit). Used to sort the list by recency of use. |
expires_at * | string (date-time) | UTC timestamp when the session expires automatically (`created_at + jwt.expiration`). After that instant AuthMiddleware rejects the JWT with `session_expired` even if the signature is still valid. |
Used in operations
GET /v1/users/me/sessions