sessions
Tracks signed-in clients in the read_user_sessions table (one row per JWT, keyed by the sid/jti claim) and exposes handlers for mine (list your sessions), revoke, and revokeAllOthers. Session creation and revocation on the hot auth path are handled by createSessionCallbacks(), wired into buildServer({ auth: { ... } }) outside the dispatcher; the feature also ships a manual-trigger cleanup job for pruning expired rows and an optional autoRevokeOnPasswordChange hook that mass-revokes all sessions for a user whenever their passwordHash changes.
Dependencies
Section titled “Dependencies”- Requires: none
- Activation: always on (not toggleable)
Extensions & cross-feature APIs
Section titled “Extensions & cross-feature APIs”- Exposes API:
sessions.revokeAllForUser