[[session-management-api-invalidate]]
=== Invalidate user sessions API
++++
<titleabbrev>Invalidate user sessions</titleabbrev>
++++

experimental[] Invalidates user sessions that match provided query.

[[session-management-api-invalidate-prereqs]]
==== Prerequisite

To use the invalidate user sessions API, you must be a `superuser`.

[[session-management-api-invalidate-request]]
==== Request

`POST <kibana host>:<port>/api/security/session/_invalidate`

[role="child_attributes"]
[[session-management-api-invalidate-request-body]]
==== Request body

`match`::
(Required, string) Specifies how {kib} determines which sessions to invalidate. Can either be `all` to invalidate all existing sessions, or `query` to only invalidate sessions that match the query specified in the additional `query` parameter.

`query`::
(Optional, object) Specifies the query that {kib} uses to match the sessions to invalidate when the `match` parameter is set to `query`. You cannot use this parameter if `match` is set to `all`.
+
.Properties of `query`
[%collapsible%open]
=====
`provider` :::
(Required, object) Describes the <<authentication-security-settings, authentication providers>> for which to invalidate sessions.

`type` ::::
(Required, string) The authentication provider `type`.

`name` ::::
(Optional, string) The authentication provider `name`.

`username` :::
(Optional, string) The username for which to invalidate sessions.
=====

[[session-management-api-invalidate-response-body]]
==== Response body

`total`::
(number) The number of successfully invalidated sessions.

[[session-management-api-invalidate-response-codes]]
==== Response codes

`200`::
  Indicates a successful call.

`403`::
  Indicates that the user may not be authorized to invalidate sessions for other users. Refer to <<session-management-api-invalidate-prereqs, prerequisites>>.

==== Examples

Invalidate all existing sessions:

[source,sh]
--------------------------------------------------
$ curl -X POST api/security/session/_invalidate
{
  "match" : "all"
}
--------------------------------------------------
// KIBANA

Invalidate sessions that were created by any <<saml, SAML authentication provider>>:

[source,sh]
--------------------------------------------------
$ curl -X POST api/security/session/_invalidate
{
  "match" : "query",
  "query": {
    "provider" : { "type": "saml" }
  }
}
--------------------------------------------------
// KIBANA

Invalidate sessions that were created by the <<saml, SAML authentication provider>> with the name `saml1`:

[source,sh]
--------------------------------------------------
$ curl -X POST api/security/session/_invalidate
{
  "match" : "query",
  "query": {
    "provider" : { "type": "saml", "name": "saml1" }
  }
}
--------------------------------------------------
// KIBANA

Invalidate sessions that were created by any <<oidc, OpenID Connect authentication provider>> for the user with the username `user@my-oidc-sso.com`:

[source,sh]
--------------------------------------------------
$ curl -X POST api/security/session/_invalidate
{
  "match" : "query",
  "query": {
    "provider" : { "type": "oidc" },
    "username": "user@my-oidc-sso.com"
  }
}
--------------------------------------------------
// KIBANA