Manage active sessions and devices

See where you are logged in, revoke a session you do not recognise, and force-logout the team after a security event.

Last updated 2026-05-10

Every login creates a session. Sessions expire after 30 days of inactivity by default. Sometimes you need to take control sooner.

Settings → Security → Active sessions

Lists every active session: device, browser, IP (geolocated), last activity timestamp. Each row has a Revoke button. Revoking kicks that session out within ~30 seconds.

The session you're on is marked "This device". Revoking it logs you out (useful before handing your laptop to a colleague).

Revoke all

The big red button. Logs out every session everywhere except the current one. Use this when:

  • Someone shared your screen and might have seen your password
  • A team member left the company (you don't trust their session ended)
  • You see an unfamiliar IP in the list
  • After a security incident anywhere

Your API keys keep working. Those are separate. Rotate them in addition if the incident was serious.

Per-team-member view

If you're an Owner, Settings → Employees → click any member → Sessions. You see their active sessions and can revoke any of them remotely. They get logged out without warning.

Session timeout

Settings → Security → Session policy. Configure:

  • Idle timeout. Log out after N minutes of inactivity (default: never; 30 minutes is reasonable for shared computers)
  • Absolute timeout. Force re-login every N hours regardless of activity (default: 720 hours / 30 days)
  • Per-device limit. Max concurrent sessions per user (default: unlimited; 5 is reasonable)

Tighter timeouts = more friction for the user but less risk if a session is stolen. The right setting depends on your team and threat model.

Force-logout the entire team

Owner only. Settings → Security → Force logout all users. Every team member is kicked out within 30 seconds. They re-authenticate fresh. Use after a known compromise or after rotating your password policy.

Mobile sessions

Mobile app logins show up too. They're separate sessions from desktop. The mobile app keeps a longer-lived session (90 days) by default because re-authenticating on phone is annoying. You can shorten this to 7 or 30 days at Settings → Security → Mobile session policy.

Audit log

Every revoke is logged. Settings → Security → Audit log shows who revoked which session, when, and from where. Three years of history retained.

Related guides

Still need help?

Real humans, real answers. We respond fast and we never use chatbots as the front line.

Email Support