Based on the available knowledge sources, Ory Kratos tracks session information such as when a user last authenticated (last login) via the session object’s authenticated_at field. This value is updated when the user logs in or refreshes their session, for example, after a password update or a second-factor authentication. This is typically used to represent the "last login" time, not the "last seen" time. The "last seen" timestamp—meaning the last time a user was active or made any request with a valid session—is not explicitly tracked or exposed by Kratos in the session object or API responses. The session object includes fields like authenticated_at, issued_at, and expires_at, but there is no field for "last seen" or "last activity" time. The session’s authenticated_at is only updated on re-authentication or session refresh, not on every request made with a valid session token or cookie, so it cannot be reliably used as a "last seen" indicator [Session-management Overview](https://www.ory.sh/docs/kratos/session-management/overview). If you need to track "last seen" activity, you would need to implement this yourself, for example, by updating a custom field in your user database every time a user makes an authenticated request to your backend. In summary: Ory Kratos does not natively provide a "last seen" timestamp. Only "last login" (authenticated_at) is available. If you require "last seen," you must implement this tracking in your application logic.

You are correct in your understanding: the authenticated_at field in the Ory Kratos session object represents the time of the most recent successful authentication (such as a login or a session refresh). If a user has an active session and continues to use your platform without re-authenticating (i.e., without logging in again or refreshing their session), the authenticated_at value will not change. It only updates when the user actually re-authenticates or explicitly refreshes their session (for example, after a password change or when prompted for multi-factor authentication) [Session-management Overview](https://www.ory.sh/docs/kratos/session-management/overview) [Refreshing a session](https://www.ory.sh/docs/kratos/self-service/flows/user-login#refreshing-a-session). So, if you are looking for a reliable "last login" timestamp, authenticated_at is accurate for that purpose. However, it does not reflect ongoing activity within an active session. If a user stays logged in for days without re-authenticating, authenticated_at will remain unchanged during that period. Summary: - authenticated_at = last login or last session refresh - It does not update on every user activity with an active session - It is reliable for "last login," but not for "last seen" or "last activity" tracking If you need "last seen," you will need to implement that tracking yourself in your application logic.