Best Practices for Limiting Active User Sessions?
Hello Team,
We're using a cloud ZITADEL instance with a custom login UI and need guidance on managing user sessions. Our goal is to limit users to a maximum of two active sessions (like Netflix).
We've explored two ZITADEL API approaches, but both have challenges for our real-time needs:
Session Service API (v2):
When we list sessions, terminated sessions still appear, making it hard to identify truly active ones. For example, if a user has three sessions and terminates the second one, the API call to list the last two sessions returns the terminated second session and the most recent session, but not the oldest active one.
Reference: https://zitadel.com/docs/apis/resources/admin/admin-service-list-events
Event API:
We can see session.added and session.terminated events, but not events for sessions that expire automatically. Querying the entire event history for every request seems inefficient for real-time use.
Reference: https://zitadel.com/docs/concepts/eventstore/overview
Given this, we have a few questions:
1. What is the recommended, most reliable, and performant method to count a user's active sessions?
2. Are we misinterpreting the POST /v2/sessions/search endpoint? Is it the right tool for our use case?
3. Is there an event logged when a session expires due to inactivity (similar to session.terminated)? This would be crucial for accurate session counting if we rely on the Event API.
This is a general use case, so what is your recommendation for approaching it? Any suggestions would be greatly appreciated!
ZITADEL Docs
Returns a list of the possible event types in ZITADEL. This is used to filter the event types in the list events request.
ZITADEL Docs
ZITADEL is built on the Event Sourcing pattern, where changes are stored as events in an Event Store.
9 Replies
Any update on this?
👋 hello @shree_harsha @Ramsai thanks for reaching out to us, this is Federico Coppede, nice to meet you! I'm currently looking into this, please allow me some time to test your use case, and I will get back to you shortly
Hi, do you have any update on this?
Hello @Ramsai, thanks for your patience while I looked into this. the sessions API will return the sessions that were created for that user, and if the user logs out, the session referenced by the client app (the browser) will be removed from the sessions array. I have tested this using the following endpoint:
- {{instance_url}}/v2/sessions/search
- body:
{
"queries": [
{
"userIdQuery": {
"id": "<USER_ID>"
}
}
]
}
Are you seeing a different behavior when the user logs out?Hi @fcoppede , thanks for your reply. When I try the endpoint {{instance_url}}/v2/sessions/search, with the body that you have mentioned, the below response is given:
{
"details": {
"timestamp": "2025-07-23T13:07:34.502391Z"
}
}
I can see that there are no details regarding the sessions.
Hello @Ramsai that means that there is no session for that user, a note on this, this will work only if the user logs in using the login V2 UI
Please try to log in with a user using the Login V2 (make sure this is enabled on you application configuration) and then call the endpoint again
Thanks team , I am able to get the active sessions in the response.
🎉 Looks like you just helped out another community member! Thanks for being so helpful <@854908558415495188>! You're now one step closer to leveling up—keep up the amazing peer support! 🚀