<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D5KZ00001cWjIP0A0Okta Classic EngineAuthenticationAnswered2026-06-05T17:10:12.000Z2025-11-14T13:02:38.000Z2026-06-05T17:10:12.000Z

Syed HishamA.90192 (Customer) asked a question.

November 14, 2025 at 1:02 PM
How to ensure immediate logout and sessions revocation for a user via APIs?

 

Hi,

We have the following setup:

  • Our SPA uses Okta Sign-In Widget with okta-auth-js and @okta/okta-react.
  • On login, access and ID tokens are in the browser(okta-token-storage) via okta auth sdk and we call signInWidget.showSignInToGetTokens({ el }) to get tokens. (no Okta session cookie sid or idx is visible in browser/cookie storage).
  • We call oktaAuth.handleLoginRedirect(tokens) on successful login.

 

Our questions are:

Session creation:

  • Is an Okta session (sid or idx) actually being created in this flow?
  • If so, why don’t we see it in browser cookie storage or via the UI? Also, on hitting oktaAuth.signOut I see that a DELETE call is being made to /sessions/me endpoint with the sid..how is that possible if no session is being created on okta’s end.

 

Revoking sessions:

  • We tried using /users/{id}/sessions to revoke all sessions after user deletion. It doesn’t seem to log out users immediately. 

 

Immediate logout on user deletion:

  • Given our current token-only SPA flow, is there a way to ensure users are immediately logged out when another user deletes them via DELETE user endpoint (basically an admin in our website deleting another user)? Anything to be called as a supplement to ensure that the deleted user's sessions are revoked immediately?

 

  • 5 answers
  • 164 views

  • RohitU.50441 (Trevonix)

    Okta session will get created if the SDK redirects users to /authorize endpoint.

     

    There are two things that defines session here.

     

    Okta's session itself that helps you get new tokens without entering credentials every time (this depends on session and sign on policy)

     

    Token lifetime is what decides the app session . So you need to revoke tokens instead of removing okta session.

     

    When a user is deactivated, they won't be able to login anyways to okta.

     

    What you could do is keep access token to 5 mins. And silently renew tokens every 5 mins. This way when a user is deactivated in okta, the max session they can have is 5 mins and the next silent token request will fail .

    Expand Post
    Selected as Best

  • User17157611498146715886 (Customer Support Online Community and Social Care)

    Hello @Syed HishamA.90192 (Customer)​ , thank you for contacting Okta Community!

     

    I've reviewed our documentation for something relevant. It looks like your question is more appropriate for our dedicated Okta Developer Forum. I advise reaching out via devforum.okta.com  as they will have more insight into this topic. 

     

    While we'll do our best to answer your questions here, this medium is more inclined towards Okta's core products and features (non-developer work).

     

    Regards. 

    --

    Help others in the community by liking or hitting Select as Best if this response helped you.

    Expand Post

  • RohitU.50441 (Trevonix)

    Okta session will get created if the SDK redirects users to /authorize endpoint.

     

    There are two things that defines session here.

     

    Okta's session itself that helps you get new tokens without entering credentials every time (this depends on session and sign on policy)

     

    Token lifetime is what decides the app session . So you need to revoke tokens instead of removing okta session.

     

    When a user is deactivated, they won't be able to login anyways to okta.

     

    What you could do is keep access token to 5 mins. And silently renew tokens every 5 mins. This way when a user is deactivated in okta, the max session they can have is 5 mins and the next silent token request will fail .

    Expand Post
    Selected as Best

  • Syed HishamA.90192 (Customer)

    Hi @RohitU.50441 (Trevonix)​ Thank you for the response!

    So when the next silent token request fails, would the user get logged out automatically?

    Also, is there no direct way to ensure that a user gets logged out/all sessions are revoked when a user is deleted? or no hack around it?

    If my understanding is correct, the session that you are referring to here isn't necessarily tied to the user session but rather enables tokens getting fetched silently?

    Expand Post

  • Syed HishamA.90192 (Customer)

    But then I also see that DELETE /sessions/me is invoked when a user signs out with session identifiers..

     

     

This question is closed.
Loading
How to ensure immediate logout and sessions revocation for a user via APIs?