Invalidate Individual Sessions in Okta Identity Engine via API
Last Updated:
Overview
Sessions in Okta Identity Engine (OIE) function based on the idx cookie rather than the Session ID (sid) from Okta Classic Engine, making legacy API calls incompatible. To invalidate an OIE session, retrieve the idx cookie from the target session and execute a DELETE request to the /api/v1/sessions/me endpoint.
Applies To
- Okta Identity Engine (OIE)
- Sessions
- Application Programming Interface (API)
Cause
Sessions in OIE function based on the idx cookie rather than the Session ID (sid) used in Okta Classic Engine. Consequently, OIE does not support API calls requiring a Session ID to manage lifecycles. This limitation includes the call to invalidate an existing session, which Okta Classic Engine performs using the following API call:
DELETE {url}/api/v1/sessions/{sid}Solution
What are the steps to invalidate an individual session in Okta Identity Engine via API?
Retrieve the idx cookie from the browser developer tools and execute a DELETE API call to invalidate the session.
- Open the Developer Tools in the browser.
- Select the Application tab.
- Under Cookies, select the tenant URL.
- Select
idxand copy the value. - Prepare the following API call:
DELETE {url}/api/v1/sessions/me - Add a new header with the following properties:
- Key: Cookie
- Value:
idx={<idx>}(replace<idx>with the value copied in step 4).
Review the following image for an example of the configured API call.
