Session Management

Phase note. This feature ships in Phase 2. The API shown is the planned surface.

CoreSDK will provide server-side session management layered on top of JWT or OAuth token verification. Sessions track token state, support revocation, and expose the authenticated user on the request context.

In Phase 1, token state is stateless — CoreSDK validates JWT signatures and expiry on every request. The current user is available via request.state.coresdk_user (FastAPI) after CoreSDKMiddleware processes the request.

Phase 1: Accessing the current user

After CoreSDKMiddleware validates a token, claims are available on the request state.

use coresdk_engine::{Engine, auth::decision::AuthRequest, error::ProblemDetail};

async fn me_handler(
    axum::extract::State(engine): axum::extract::State<Engine>,
    headers: axum::http::HeaderMap,
) -> impl axum::response::IntoResponse {
    let token = headers
        .get("authorization")
        .and_then(|v| v.to_str().ok())
        .and_then(|v| v.strip_prefix("Bearer "))
        .unwrap_or("");

    let decision = engine.auth().authorize(AuthRequest {
        token: token.to_string(),
        ..Default::default()
    })?;

    if !decision.allowed {
        return Err(ProblemDetail::unauthorized("invalid token"));
    }

    Ok(axum::Json(serde_json::json!({
        "sub":   decision.claims["sub"],
        "email": decision.claims["email"],
    })))
}

from coresdk import CoreSDKClient, SDKConfig
from coresdk.middleware.fastapi import CoreSDKMiddleware
from fastapi import FastAPI, Request

_sdk = CoreSDKClient(SDKConfig(
    sidecar_addr="http://127.0.0.1:7233",
    tenant_id="acme",
    service_name="my-api",
))

app = FastAPI()
app.add_middleware(CoreSDKMiddleware, sdk=_sdk)

@app.get("/api/me")
async def me(request: Request):
    user = request.state.coresdk_user  # set by CoreSDKMiddleware
    return {"sub": user["sub"], "email": user.get("email")}

Session creation (Phase 2)

Sessions will be created automatically when a request carries a valid token. You can also create them explicitly after an OAuth token exchange.

// Phase 2 — explicit session creation after OAuth callback
let session = engine.sessions().create(token_set).await?;
println!("session_id: {}", session.id);

# Phase 2 — explicit session creation after OAuth callback
session = await _sdk.sessions().create(token_set)
print(session.id)

// Phase 2 — Go SDK ships in Phase 2.
session, err := s.Sessions().Create(ctx, tokenSet)
fmt.Println(session.ID)

// Phase 2 — TypeScript SDK ships in Phase 2.
const session = await sdk.sessions().create(tokenSet);
console.log(session.id);

Session introspection (Phase 2)

Inspect an active session by ID to check its validity and remaining TTL.

let session = engine.sessions().get("sess_01HX7KQMB4").await?;
println!("user_id:    {}", session.user_id);
println!("expires_at: {}", session.expires_at);
println!("active:     {}", session.is_active());

session = await _sdk.sessions().get("sess_01HX7KQMB4")
print(session.user_id)
print(session.expires_at)
print(session.is_active())

// Phase 2 — Go SDK ships in Phase 2.
session, err := s.Sessions().Get(ctx, "sess_01HX7KQMB4")
fmt.Println(session.UserID, session.ExpiresAt, session.IsActive())

// Phase 2 — TypeScript SDK ships in Phase 2.
const session = await sdk.sessions().get("sess_01HX7KQMB4");
console.log(session.userId, session.expiresAt, session.isActive());

Session revocation (Phase 2)

Revoke a single session (logout) or all sessions for a user (force-logout / account compromise response).

// Revoke a single session
engine.sessions().revoke("sess_01HX7KQMB4").await?;

// Revoke all sessions for a user — useful after password change or compromise
engine.sessions().revoke_all_for_user("usr_2xK9").await?;

# Revoke a single session
await _sdk.sessions().revoke("sess_01HX7KQMB4")

# Revoke all sessions for a user
await _sdk.sessions().revoke_all_for_user("usr_2xK9")

@app.post("/auth/logout")
async def logout(request: Request):
    user = request.state.coresdk_user
    await _sdk.sessions().revoke_for_user(user["sub"])
    return Response(status_code=204)

// Phase 2 — Go SDK ships in Phase 2.
err := s.Sessions().Revoke(ctx, "sess_01HX7KQMB4")
err = s.Sessions().RevokeAllForUser(ctx, "usr_2xK9")

// Phase 2 — TypeScript SDK ships in Phase 2.
await sdk.sessions().revoke("sess_01HX7KQMB4");
await sdk.sessions().revokeAllForUser("usr_2xK9");

Environment variables

Variable	Description
`CORESDK_SIDECAR_ADDR`	Sidecar address (default: `http://127.0.0.1:7233`)
`CORESDK_TENANT_ID`	Tenant identifier
`CORESDK_FAIL_MODE`	`open` (default) or `closed` — behaviour on control plane partition

Next steps

JWT Authentication — stateless token verification (Phase 1)
OAuth 2.0 & OIDC — configure the token source that drives sessions (Phase 2)
RBAC & Roles — enforce role checks on the authenticated user

Session Management

Session Management

Phase 1: Accessing the current user

Session creation (Phase 2)

Session introspection (Phase 2)

Session revocation (Phase 2)

Environment variables

Next steps

On this page