<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D5WR00001a7CzB0AUOkta Classic EngineDevices and MobilityAnswered2026-04-24T22:41:01.000Z2026-04-24T16:56:34.000Z2026-04-24T22:41:00.000Z

ChrisB.39007 (Customer) asked a question.

13h ago
Killing mobile App Sessions for everyone in the company

Is there a way to kill app sessions in Okta for everyone in the company? This would be a hypothetical for incident response if a 3rd party vendor was compromised? I know doing so via the admin portal for apps accessed via the desktop version is simple enough, but I wasn't sure if that would stop the API connections for a mobile app that someone is still logged into giving them access to the compromised app.

 

I hope this makes sense.

  • 1 answer
  • 12 views

  • Paul S. (Okta, Inc.)

    Hello @ChrisB.39007 (Customer)​ Thank you for posting on our Community page!

     

    The short answer is yes, you can kill those mobile API sessions globally, but simply clearing user sessions in the Okta Admin Console will not do it.

    When you clear a user's session from the Okta admin portal, you are destroying their Okta browser cookie. If they try to access a web app that redirects to Okta for SAML or OIDC authentication, they will be forced to log in again.

    However, mobile applications and API connections generally use OAuth 2.0 / OIDC. Instead of relying on a web session cookie, they are issued two things upon initial login:

    1. An Access Token: A short-lived token used to access the API.
    2. A Refresh Token: A long-lived token used to get new Access Tokens silently in the background without the user logging in again.

    If you just clear the user's Okta web session, the mobile app still holds its valid Refresh and Access tokens. The app will continue querying the 3rd-party vendor's API entirely unaware that the Okta web session is dead.

    If a 3rd-party vendor is compromised and you need to pull the plug on all access immediately (including mobile and API connections), follow these two steps:

    1. Deactivate the Application in Okta

    This is your first move to stop the bleeding. In the Okta Admin Console, navigate to the compromised app and deactivate it.

    • What this does: It immediately blocks any new authentication flows. No one else can open the app and generate a new token via Okta.

    2. Revoke All Tokens via the Okta Admin API

    To kill the existing active mobile sessions, you must revoke the refresh tokens that Okta issued to that specific application. Okta provides a specific Admin Management API endpoint for exactly this scenario:

    • Endpoint:DELETE /api/v1/apps/{appId}/tokens
    • What this does: This API call instantly revokes all OAuth 2.0 refresh tokens associated with that specific appId.

    Once this is executed, the mobile app can no longer use its Refresh Token to silently renew the user's session. The next time the app tries to refresh, Okta will deny the request, effectively breaking the API connection and forcing a logout.

     

    Thank you for reaching out to our Community and have a great day!

    --

    Help others in the community by liking or hitting Select as Best if this response helped you.

    Expand Post

Loading
Killing mobile App Sessions for everyone in the company