← Back to schema index

UserSession

Represents an active (or historical) JWT session of the authenticated user. A session is one cookie/JWT pair minted at login, 2FA verify, or the password-change re-issue; each one is anchored to a `jti` embedded in the JWT and recorded in `user_sessions` with its IP/UA and lifetime window. User-facing surface introduced in v1.49.5 (ADR-0089).

Properties

Field Type Description
id * string (uuid) Unique session identifier (UUID v7 time-ordered). This is the value the user references in `DELETE /v1/users/me/sessions/{id}`.
is_current * boolean `true` when this session matches the current request (the cookie JWT's `jti` matches). Lets the UI mark "this session" without an extra round-trip.
ip * string | null IP address where the session was minted. `null` when `REMOTE_ADDR` was unavailable at login (misconfigured proxy, headless test, etc.).
user_agent * string | null `User-Agent` header captured when the session was minted. `null` when the client did not send the header. The UI parses it into a readable "browser · OS" label.
created_at * string (date-time) UTC timestamp of session creation (ISO 8601). Equals the moment of the login / 2FA verify / password-change re-issue that minted it.
last_used_at * string (date-time) UTC timestamp of the most recent authenticated request that used this session (best-effort UPDATE on every AuthMiddleware hit). Used to sort the list by recency of use.
expires_at * string (date-time) UTC timestamp when the session expires automatically (`created_at + jwt.expiration`). After that instant AuthMiddleware rejects the JWT with `session_expired` even if the signature is still valid.

Used in operations

  • GET /v1/users/me/sessions

Referenced by schemas