ZITADEL Docs
APIsCore ResourcesV2Session

SetSession

Set Session

Update an existing session with new information like additional checks or metadata or request additional challenges. A new session token will be returned. Note that the previous token will be invalidated.

Required permissions:

  • session.write
PATCH
/v2/sessions/{session_id}

Path Parameters

session_id*string

The unique identifier of the session to be updated.

Request Body

application/json

sessionToken?stringDeprecated

Deprecated: the session token is no longer required when updating a session and will be ignored when provided.

checks?

Additional checks to be performed on the session. Successful checks will be stated as factors on the session. Re-executing a check that was already successful will overwrite the previous check time. For example, if a password check was already successful, it can be re-checked to update the check time. Note that a user check can only be performed once per session and cannot be changed afterwards. Some checks require that the user is already checked, either in the previous or the same request. For example, a password check requires that the user is already checked. Other checks, like WebAuthN or IDP intent, require that the user is already checked and a challenge was requested in any previous request. On successful checks, the session's factors field will be updated.

metadata?

Additional custom key value pairs to be stored on the session. Existing keys will be overwritten. To delete a key, set its value to an empty byte array. Note that metadata keys cannot be changed once the session has been created. You need to create a new entry and delete the old one instead.

challenges?

Additional challenges to be requested for further verification. The challenges will be created and returned in the response. The challenges can then be used for further checks with the following SetSession method. Requesting a challenge that was already requested will overwrite the previous challenge.

lifetime?string

Update the duration after which the session will be automatically invalidated. If not set, the lifetime will not be changed. Note that an expired session cannot be used for authentication anymore, but will still be listed until it is deleted.

Formatduration
[key: string]?never

Response Body

application/json

application/json

curl -X PATCH "https://loading/v2/sessions/string" \  -H "Content-Type: application/json" \  -d '{}'
{
  "details": {
    "sequence": 0,
    "changeDate": "1s",
    "resourceOwner": "string",
    "creationDate": "1s"
  },
  "sessionToken": "string",
  "challenges": {
    "webAuthN": {
      "publicKeyCredentialRequestOptions": {
        "property1": {},
        "property2": {}
      }
    },
    "otpSms": "string",
    "otpEmail": "string"
  }
}
{
  "code": "not_found",
  "message": "string",
  "detail": {
    "type": "string",
    "value": "string",
    "debug": {}
  }
}

Was this page helpful?

ListSessions

Previous Page

Oidc API

Next Page