Canon-preserving guidance

Revoke the right session without guessing what else moves.

This guide explains the existing session revoke behavior in plain language. It does not create a new trust model, weaken current auth controls, or broaden SSO authority. Use it to decide whether you should refresh the current browser, revoke another device, or review cross-domain handoff traces first.

Read-only guide Existing revoke semantics only Check suspicious activity before bulk revoke

1) Current device

Revoking the current session normally means this browser loses its active auth state and must sign in again. Use this when you suspect the device itself is unsafe, shared, or out of your control.

What changesYour active token or session key is cleared or invalidated for this browser.
What does not changeYour trust tier, certificate status, recovery authority, and SSO domain trust list stay the same.
Best follow-upAfter re-signing in, review the trust map to confirm only the expected device lane returned.

2) Other devices

Revoking other devices targets non-current session groups that still appear in your recent audit lane. Use this when an old laptop, browser, or travel network should no longer retain access.

What changesThose remote session clusters are asked to expire through the existing profile revoke path.
What stays scopedThe action is session-focused. It does not silently rotate credentials, rewrite certificate history, or change recovery contacts.
Best follow-upExport the session inventory first if you want an incident record before revoking.

3) SSO-linked surfaces

Cross-domain SSO pages can share arrival context, but they still depend on the existing trust and session model. Revoke decisions should be checked against the latest SSO arrival posture before assuming every linked surface has already cleared.

What changesThe targeted session or session group is revoked using the current revoke route.
What needs reviewIf you arrived via a trusted or unrecognised SSO source, inspect the auth trail so you know which browser/domain touched the session.
Best follow-upUse Security Audit to review unusual activity, then the trust map to confirm only expected surfaces remain.
Guardrail: This guide is intentionally additive and explanatory. It preserves existing auth, trust, certificate, recovery, and SSO semantics. If you need to change password, recovery, or trust posture, use the dedicated surfaces for those actions rather than treating revoke as a substitute.

πŸ—ΊοΈ Session Trust Map

See which session lanes look current, aging, or suspicious before you revoke anything.

Open session trust map β†’

πŸ“¦ Session Export

Download a JSON or Markdown inventory of recent session groups for support or incident notes.

Open session export β†’

πŸ”’ Security Audit

Review unusual activity, linked hardening tasks, and posture checks around SSO or session anomalies.

Open security audit β†’