A user's session can get revoked when logging in with a session-token due to several reasons: 1. Inactive Session: If no active session was found in the request, for example, no Ory Session Cookie or Ory Session Token was provided, the session will be revoked. This is indicated by the

session_inactive

error id. 2. Lower Authenticator Assurance Level (AAL): Depending on your configuration, if the session has a lower AAL than is possible for the identity, the session will be revoked. This can happen if the identity has password + webauthn credentials (which would result in AAL2) but the session has only AAL1. In this case, the user is asked to sign in with the second factor or change the configuration. This is indicated by the

session_aal2_required

error id. 3. Invalid Session Token: If the

Authorization: bearer <ory-session-token>

HTTP header was set with an invalid Ory Kratos Session Token, the endpoint returns a HTTP 401 status code, revoking the session. 4. Invalid Cookie: If the

Cookie

HTTP header was set containing an invalid Ory Kratos Session Cookie, the endpoint returns a HTTP 401 status code, revoking the session. For more details, refer to the [Ory API Reference](https://www.ory.sh/docs/reference/api).