Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hi all, :wave:

How can I invalidate all sessions of user when he changes password? Auth session is *NOT* invalidated when user resets password.
Imagine scenario:
• your password was compromised
• you know this and changed it ASAP
• you want all existing sessions to be invalidated

The user should see all sessions with the `toSession()` (or `/sessions/whoami` ) call in the sdk. You can offer a UI and they "disconnect" (or close) all sessions. You can probably also do it via admin API:

<https://www.ory.sh/docs/kratos/reference/api#operation/adminListIdentitySessions>

Hi <@U03PPHZL3MK> thanks for your help! After a password reset flow, we would like to automatically close all the sessions. So that user will be forced to login again..

In that UI, what should be the API to call ?

You have to use the API, for example the admin one I linked to to list all sessions of an identity. And then iterate over the response.