Revoking user sessions

Access provides two options for revoking user sessions: per-application and per-user.

The authentication process involves Cloudflare Access issuing a signed JSON Web Token (JWT) when a user authenticates and meets the criteria defined in your Access application policy. The token is valid for the duration configured in the application (default is 24 hours). The user can access the application for the entire duration of that token’s lifecycle without re-authenticating until the session expires.


You can immediately terminate all active sessions for a specific application by navigating to the Access policy configuration screen for the application, and clicking Revoke Existing Tokens.


Unless there are changes to rules in the policy, users can generate a new token during authentication if their profile in your identity provider is still active.


Access can immediately revoke a single user session across all applications in your account. Once revoked, the user cannot reach any application path protected by Access. However, if the user’s identity profile is still active, they can generate a new session.

If you want to permanently revoke a user access, first disable their account in your IdP so that they cannot authenticate, then revoke their Access user session.

To revoke a single user, begin at the Events card at the bottom of the Access app in the dashboard. In the Current monthly users tab, search for the user to revoke, and select the Revoke Session option and confirm.