Currently, FusionAuth does not have native support for limiting users to a single session. However, this can be achieved programmatically using API calls.
Steps to Restrict to a Single Active Session:
- User Logs In:
Upon a successful login, you will receive a new JWT for the session.
Retrieve Existing JWTs:
Use the GET /api/jwt/refresh endpoint to fetch all active JWTs for the user:
GET /api/jwt/refresh?userId={userId}
- Documentation: Retrieve JWTs
Revoke Other Sessions:
Loop through the retrieved JWTs and revoke all tokens except for the one associated with the most recent login. Use the DELETE /api/jwt/refresh endpoint to revoke each token:
DELETE /api/jwt/refresh?token={token}
- Documentation: Revoke JWT
Considerations:
- This approach assumes the most recent login session is the one you want to keep active.
- It requires handling session management programmatically on your end.
Feature Request:
There is an open request for native session-limiting functionality in FusionAuth. If this feature is important to your use case, you can upvote the request on GitHub:
GitHub Issue #1363