Devices & Sessions
The devices command (aliases: sessions, ses) and session (alias:
device) mirror the Settings → Devices page. Use them to see every
device that’s currently signed into your Splashify Pro account and
remotely log any of them out.
Backed by /api/v1/app/auth/sessions[/:sessionId]. Every call uses your
stored oc_live_ token and is scoped to your account.
Quick start
# See every active session
splashify devices
# Sign out a suspicious one
splashify devices logout 5e9c1a40-…
# "Log out everywhere" — revokes every session in one go
splashify devices logout-allThe CLI keeps working. Access tokens (
oc_live_…) are stored in a different table from login sessions, sosplashify devices logout-allnever revokes the CLI’s own access. You can run it from the CLI without locking yourself out.
What a session looks like
{
"session_id": "uuid",
"platform": "web", // or "android", "ios", "mobile"
"device_info": "Mozilla/5.0 …", // user-agent string
"ip_address": "203.0.113.4",
"last_seen": "2026-05-21T09:14:22Z",
"created_at": "2026-04-30T15:02:11Z",
"expires_at": "2026-07-30T15:02:11Z",
"is_current": false
}
is_currentfrom the CLI is alwaysfalse. The backend sets the flag by comparing the row’ssession_idwith the JWT’s session id. The CLI authenticates with anoc_live_access token, not a session JWT, so there is no “current session” to mark. If you want to know which row is the browser tab you’re sitting in, run the same call from the app’s Settings → Devices page where the JWT carries the right context.
Command reference
splashify devices — list active sessions
splashify devices # default
splashify devices list # alias
splashify devices list --platform web # only web sessions
splashify devices list --platform android
splashify devices list --ip 203.0.113.4 # only sessions from this IP
splashify devices list --platform web --ip 203.0.113.4| Backed by | GET /api/v1/app/auth/sessions |
|---|
--platform and --ip filter client-side — the backend returns the
full list. Platform values are lowercased before comparison:
| Value | Matches |
|---|---|
web | desktop / laptop browsers |
android | Android native app |
ios | iOS native app |
mobile | sessions whose platform is reported exactly as "mobile" |
Response shape:
{
"success": true,
"sessions": [
{"session_id": "...", "platform": "web", "device_info": "...", "ip_address": "...", "last_seen": "...", "created_at": "...", "expires_at": "...", "is_current": false}
]
}When --platform or --ip is used, the CLI prints a filtered shape that
also includes a count field:
{"success": true, "sessions": [...], "count": 2}splashify session <session_id> — show one
splashify session 5e9c1a40-1234-… # alias: deviceNo dedicated backend endpoint — the CLI fetches the list and filters
client-side, same pattern as splashify member <id>, splashify canned <id>, etc.
splashify devices logout <session_id> — revoke one
splashify devices logout 5e9c1a40-…
splashify devices revoke 5e9c1a40-… # alias
splashify devices signout 5e9c1a40-… # alias| Backed by | DELETE /api/v1/app/auth/sessions/:sessionId |
|---|
Effect:
- Adds the session id to the Redis revocation set with the JWT’s full expiry — any in-flight token referencing this session is rejected from the next request onwards.
- Deletes the row from
app_user_sessions_by_user. - The browser tab or app holding that token will see its next API call return HTTP 401 and the user gets bounced to the login screen.
The action is immediate — there is no soft-undo.
splashify devices logout-all — revoke every session
splashify devices logout-all # prompts for confirmation
splashify devices logout-all --yes # skip the prompt (for scripts)
# Or narrow the wipe:
splashify devices logout-all --platform web # only web sessions
splashify devices logout-all --ip 203.0.113.4 # only sessions from this IP
splashify devices logout-all --platform web --yes # web only, no promptThere is no bulk-revoke endpoint on the backend, so the CLI implements
this as list → iterate → DELETE per session. It prints each revocation
as it happens:
About to revoke 3 session(s):
5e9c1a40-… web 203.0.113.4 Mozilla/5.0 (Macintosh…)
6c1a40-… android 198.51.100.7 okhttp/4.12.0
8a40-… web 192.0.2.1 Mozilla/5.0 (Windows…)
Continue? (yes/no): yes
✓ 5e9c1a40-…
✓ 6c1a40-…
✓ 8a40-…
3 revoked, 0 failed.--yes skips the confirmation prompt — use it in scripts. If any single
revocation fails (e.g. the session was already gone), the CLI continues
through the rest and reports the failure count at the end; the exit code
is non-zero so scripts can detect a partial failure.
Common workflows
See where you’re signed in right now
splashify devices | jq '.sessions[] | {
device: .device_info[:50],
platform,
ip: .ip_address,
last_seen,
expires: .expires_at
}'”Audit oldest first”
splashify devices | \
jq '.sessions | sort_by(.created_at) | .[] | {session_id, platform, ip: .ip_address, created_at}'Sign out every web session, keep mobile
splashify devices logout-all --platform web
# (web tabs get bounced; the Android / iOS apps keep working)Revoke every session that hasn’t been seen for 30+ days
CUTOFF=$(date -u -v-30d '+%Y-%m-%dT%H:%M:%SZ') # macOS
# CUTOFF=$(date -u -d '30 days ago' '+%Y-%m-%dT%H:%M:%SZ') # linux
splashify devices | \
jq -r --arg c "$CUTOFF" '
.sessions[]
| select((.last_seen // .created_at) < $c)
| .session_id
' | \
xargs -I{} splashify devices logout {}”I lost my laptop in Bangalore” — revoke everything from one IP
splashify devices logout-all --ip 203.0.113.4 --yesOne-liner: log out everything except the most-recent session
KEEP=$(splashify devices | jq -r '.sessions | sort_by(.last_seen // .created_at) | last | .session_id')
splashify devices | \
jq -r --arg keep "$KEEP" '.sessions[] | select(.session_id != $keep) | .session_id' | \
xargs -I{} splashify devices logout {}Security notes
- Sessions expire automatically after ~3 months of inactivity — the
backend stamps
expires_atat login. A long-untouched browser tab becomes invalid on its own; you only needlogoutfor active sessions you want to kill immediately. - A revoked session cannot be recovered. The token can’t be “un-revoked”; the device must sign in again, which mints a fresh session row with a fresh id.
oc_live_tokens are separate from login sessions. Managing sessions never touches your access tokens, and vice versa. Usesplashify token listto manage tokens.- Concurrent-device limit. New web logins are subject to a 4-device cap — older web sessions are evicted automatically (mobile sessions are never auto-evicted; only web). The cap is enforced at login time, not on this listing.
Troubleshooting
“Session not found” — the session_id doesn’t belong to your
account (or it was already revoked). Run splashify devices to refresh
the list.
logout succeeded but the browser is still active — the browser tab
still has the JWT in memory and won’t bounce until the next API call. It
gets a 401 on the next request and the user is redirected to login.
logout-all revoked sessions but the count says fewer were revoked
than expected — a session can disappear from the list between the
GET and the DELETE (e.g. another device logged out at the same time
or the row hit its TTL). The remaining DELETE returns 404 and the CLI
counts it as failed, but the end state is what you wanted.
Can I revoke the same session the CLI is using? — there is no
“session the CLI is using” — the CLI is authenticated with an oc_live_
access token, which lives in a separate table. So logout-all from the
CLI is safe: it’ll wipe every browser/mobile session but the CLI keeps
working. The only way to revoke CLI access is splashify token revoke <token_id>.
See also
- Access Tokens — manage the
oc_live_tokens the CLI uses (a separate auth surface from login sessions). - Team & Agents — for managing other people’s access to your account, not your own sessions.