MagicDX

Theme

Magic-Sessionmanager — API Reference

Admin REST endpoints

All endpoints require a Strapi admin token (Authorization: Bearer <admin-token>).

GET /magic-sessionmanager/sessions

List all sessions with optional filters.

Query params:
  userId       - filter by user ID
  status       - active | inactive | terminated
  country      - ISO country code (DE, US, ...)
  minThreat    - minimum threat score (Advanced)
  maxThreat    - maximum threat score (Advanced)
  since        - ISO timestamp, sessions created after
  limit        - page size (default 50, max 200)
  offset       - pagination offset

Response:

json
{
  "data": [
    {
      "id": 123,
      "userId": 1,
      "userEmail": "user@example.com",
      "status": "active",
      "ip": "203.0.113.42",
      "device": { "browser": "Chrome", "os": "macOS", "device": "Desktop" },
      "geolocation": { "country": "DE", "city": "Berlin", ... },
      "threatScore": 12,
      "createdAt": "2026-04-20T10:00:00Z",
      "lastSeen": "2026-04-20T14:35:00Z"
    }
  ],
  "meta": { "total": 1247, "limit": 50, "offset": 0 }
}

GET /magic-sessionmanager/sessions/:id

Full details on a single session.

POST /magic-sessionmanager/sessions/:id/terminate

Force logout. Invalidates JWT and blocks refresh token.

bash
curl -X POST http://localhost:1337/magic-sessionmanager/sessions/123/terminate \
  -H "Authorization: Bearer <admin-token>"

POST /magic-sessionmanager/users/:userId/terminate-all

Force logout on all of a user's sessions (e.g. after password reset).

GET /magic-sessionmanager/stats

Dashboard stats.

json
{
  "online": 42,
  "activeLast15Min": 78,
  "activeLast30Min": 134,
  "totalUsers": 5234,
  "blockedSessions": 3,
  "loginsByCountry": { "DE": 145, "US": 87, ... },
  "threatScoreDistribution": { "0-20": 234, "20-40": 45, ... }
}

GET /magic-sessionmanager/settings

Get plugin configuration.

PUT /magic-sessionmanager/settings

Update geo-fencing, auto-blocking rules, alerts.

json
PUT /magic-sessionmanager/settings
{
  "geoFencing": {
    "mode": "allowlist",
    "countries": ["DE", "AT", "CH"]
  },
  "autoBlock": {
    "blockVpn": true,
    "blockTor": true,
    "minThreatScore": 70
  },
  "alerts": {
    "email": { "enabled": true, "recipients": ["security@example.com"] },
    "webhook": { "url": "https://hooks.slack.com/..." }
  }
}

Service API

Use from your Strapi code:

sessions.findLatest(criteria)

typescript
const session = await strapi.plugin('magic-sessionmanager').service('sessions').findLatest({
  userId: 1,
});
// { id, ip, geolocation, lastSeen, ... }

sessions.terminate(sessionId, reason?)

typescript
await strapi.plugin('magic-sessionmanager').service('sessions').terminate(sessionId, 'admin_forced');

sessions.terminateAllForUser(userId, reason?)

typescript
// Use case: after password reset
await strapi.plugin('magic-sessionmanager').service('sessions').terminateAllForUser(userId, 'password_reset');

sessions.isBlocked(refreshToken)

typescript
const blocked = await strapi.plugin('magic-sessionmanager').service('sessions').isBlocked(refreshToken);
if (blocked) {
  return ctx.unauthorized('Session terminated');
}

threat.scoreLogin({ ip, userAgent, userId }) (Advanced)

typescript
const { score, flags } = await strapi.plugin('magic-sessionmanager').service('threat').scoreLogin({
  ip: ctx.request.ip,
  userAgent: ctx.request.header['user-agent'],
  userId: user.id,
});
if (score > 80) {
  // Require additional verification
}

geolocation.lookup(ip)

typescript
const geo = await strapi.plugin('magic-sessionmanager').service('geolocation').lookup(ip);
// { country: 'DE', city: 'Berlin', ... }

Lifecycle events

Magic-Sessionmanager emits events you can subscribe to:

typescript
// src/index.ts
export default {
  register({ strapi }) {
    strapi.plugin('magic-sessionmanager').hooks.on('session.created', async (session) => {
      console.log(`New session: user ${session.userId} from ${session.geolocation?.country}`);
    });

    strapi.plugin('magic-sessionmanager').hooks.on('session.terminated', async (session) => {
      // Log to your audit system
    });

    strapi.plugin('magic-sessionmanager').hooks.on('threat.detected', async ({ session, score }) => {
      // React to high-threat logins
      if (score > 90) {
        await notifySecurityTeam(session);
      }
    });
  },
};

Webhook payload

When an alert webhook fires (Advanced tier):

json
POST https://hooks.slack.com/...
{
  "event": "threat.detected",
  "timestamp": "2026-04-20T14:35:00Z",
  "session": {
    "id": 123,
    "userId": 1,
    "userEmail": "user@example.com",
    "ip": "203.0.113.42",
    "device": { "browser": "Chrome", "os": "macOS" },
    "geolocation": { "country": "RU", "city": "Moscow" },
    "threatScore": 87,
    "flags": { "isVpn": true, "isDatacenter": true }
  },
  "rule": "Threat score > 80"
}

Next: Examples →