Sessions and devices
See where you are signed in, and remotely sign out.
A session is a sign-in on one browser or app. Dalea tracks every active session on your account and lets you revoke any of them remotely. This page is how you stay on top of which devices are signed in as you.
Where to find your sessions
Settings → Security → Sessions.
You'll see a list, ordered by most recent activity. Each row shows:
| Field | What it means |
|---|---|
| Browser / OS | "Chrome on macOS 14" — useful for spotting unfamiliar devices. |
| IP address | Approximate origin. Mobile carriers can show a different region than where your phone actually is. |
| Last active | When this session last made a request. |
| Sign-in method | Email-and-password, OAuth (Google, GitHub, Microsoft), or passkey. |
| Auth strength | Whether this session was elevated by TOTP or a passkey at some point. |
| This is you | Marker on your current session. |
Signing out a specific session
Click the X on any row. The session is invalidated immediately — the next request from that browser will be redirected to the sign-in page. There's no "sign out everywhere except here" toggle by design; revoke them individually so you confirm what you're disabling.
You can't sign out your current session from the list — to do that, use the regular Sign out option in the user menu.
When to be vigilant
Three flags worth watching:
- A device you don't recognise. Even if it shares your geography, an unknown browser fingerprint is worth investigating. Revoke and rotate your password (or remove the rogue passkey).
- A geography that doesn't match your travel. A session active from a city you weren't in is a hard signal. Revoke immediately.
- A session active long after you forgot it. If you signed in to demo Dalea on a colleague's machine three months ago, that session might still be there. Spring-clean the list every quarter.
Auto-expiry
Sessions don't last forever even if you never click revoke:
- Idle expiry — sessions inactive for 30 days are deleted by Dalea. This is enforced regardless of your settings.
- Hard expiry — the rememer-me cookie behind a session has a maximum lifespan; eventually you'll be asked to re-authenticate.
- Sensitive-action elevation — some actions (changing password, removing a passkey, viewing audit logs) require re-authentication even within an active session.
API keys vs sessions
Sessions are for browsers (and the desktop app, when that ships). For programmatic access — scripts, Python clients, server-to-server integrations — use API keys instead. They live in the same Settings area but on a separate tab; revoking a session doesn't touch your API keys.
See the Developers section for the full picture.