Where do I find active sessions in ChatGPT?

Open ChatGPT, go to Settings, select Security, then open Active sessions. OpenAI says this view can show recent sessions and trusted devices associated with your account when the feature is available.

Does enabling MFA log out other ChatGPT sessions?

No. OpenAI's MFA documentation states that enabling MFA does not automatically log you out of other devices or sessions. If you suspect unauthorized access, reset your password first when applicable, then log out of all sessions and enable or re-check MFA.

How long does ChatGPT log out of all sessions take?

OpenAI documents that Log out of all sessions logs you out across devices, including the current session, and may take up to 30 minutes. Build that propagation window into incident response expectations.

Why do I not see Active sessions in ChatGPT Security settings?

OpenAI says Active sessions may be unavailable for accounts linked to an organization's SSO sign-in, including SAML or OIDC. In that case, route session review through your identity provider or workspace admin process.

Are connected apps included in ChatGPT active sessions?

No. OpenAI's active sessions article says the feature does not show or manage third-party app sessions, connected apps, Sign in with ChatGPT sessions used only for third-party services, or Codex CLI sessions. Review those surfaces separately.

ChatGPT Active Sessions Security Cheat Sheet [2026]

ChatGPT active sessions give AI product teams a practical place to inspect signed-in browsers, first-party OpenAI app sessions, approximate locations, sign-in times, trusted devices, and the current session. The control is useful, but bounded: OpenAI notes that details can be approximate, third-party app sessions and connected apps are not managed there, and SSO-linked accounts may not have the feature. Use it as one layer in a broader account hygiene runbook.

Quick Start

Bottom Line

Review ChatGPT active sessions weekly, revoke anything unfamiliar, and document the escalation order. If compromise is suspected, MFA alone is not enough because it does not cancel existing logins.

What Active Sessions Covers

Active sessions can represent a signed-in browser session or first-party OpenAI app session.
Rows may include device or browser information, first-party app context, approximate location, sign-in date and time, trusted-device status, and current-session status.
OpenAI says session details may be approximate or incomplete, so treat this as triage evidence rather than a forensic source of truth.
The feature does not show or manage third-party app sessions, connected apps, Sign in with ChatGPT sessions used only for third-party services, or Codex CLI sessions.
For source context, see OpenAI Help Center: Managing active sessions in ChatGPT.

First-Pass Review Checklist

Open ChatGPT, then go to Settings > Security > Active sessions.
Confirm the row marked CURRENT SESSION matches the device you are using.
Flag unfamiliar browsers, devices, approximate locations, or app contexts.
Use Log out on a specific session when the row supports it.
Use Log out of all sessions for broad cleanup or suspected exposure.

Watch out: OpenAI documents that logging out of all sessions may take up to 30 minutes, and some accounts linked to organization SSO through SAML or OIDC may not have Active sessions available.

Live Search Filter

For team reviews, paste exported or manually transcribed session rows into a tiny local HTML page and filter by device, app, location, reviewer, or disposition. This is intentionally client-side so you can keep sensitive account notes local; redact locations and emails before sharing snippets in tickets. For broader privacy cleanup, pair this workflow with TechBytes' Data Masking Tool.

<input id='sessionSearch' type='search' placeholder='Filter sessions...' aria-label='Filter sessions'>
<table id='sessionTable'>
  <thead>
    <tr><th>Owner</th><th>Device</th><th>App</th><th>Location</th><th>Decision</th></tr>
  </thead>
  <tbody>
    <tr><td>pm@example.com</td><td>Chrome on macOS</td><td>ChatGPT</td><td>Approx. Seattle</td><td>Keep</td></tr>
    <tr><td>api@example.com</td><td>Unknown browser</td><td>API Platform</td><td>Approx. unknown</td><td>Review</td></tr>
  </tbody>
</table>

<script>
const input = document.querySelector('#sessionSearch');
const rows = [...document.querySelectorAll('#sessionTable tbody tr')];

input.addEventListener('input', () => {
  const q = input.value.trim().toLowerCase();
  rows.forEach(row => {
    row.hidden = q && !row.textContent.toLowerCase().includes(q);
  });
});
</script>

Filter Fields Worth Capturing

Owner: the teammate, test account, or service owner responsible for the account.
Device: browser, operating system, mobile app, or unknown device label.
App context: ChatGPT, Codex, or API Platform when available.
Decision: keep, revoke, rotate credentials, escalate, or blocked by SSO/admin policy.
Evidence note: short reviewer note with no secrets, tokens, passwords, or raw customer data.

Keyboard Shortcuts

ChatGPT does not expose a dedicated keyboard shortcut set for active-session administration, so use operating-system and browser shortcuts for fast review. Keep these in your internal runbook because most incident response time is lost to navigation, comparison, and ticket capture.

Shortcut	Purpose	Where It Helps
Ctrl + L / Cmd + L	Focus address bar	Open `chatgpt.com` or an internal checklist quickly.
Ctrl + F / Cmd + F	Find text	Search session notes for a device, city, reviewer, or app context.
Ctrl + Shift + T / Cmd + Shift + T	Reopen closed tab	Recover a closed settings, support, or incident tab.
Alt + Tab / Cmd + Tab	Switch applications	Move between ChatGPT, password manager, ticketing, and admin console.
Ctrl + Shift + V / Cmd + Shift + V	Paste without formatting	Drop cleaned notes into incident records without hidden styling.

Commands by Purpose

There is no official OpenAI CLI flag for ChatGPT active-session review. The safest command-line surface is therefore local automation around your checklist, browser launch, redaction, and evidence packaging.

Open Security Settings

# macOS
open 'https://chatgpt.com/#settings/Security'

# Linux
xdg-open 'https://chatgpt.com/#settings/Security'

# Windows PowerShell
Start-Process 'https://chatgpt.com/#settings/Security'

Create a Review Checklist

cat > chatgpt-session-review.md <<'EOF'
# ChatGPT session review

Date: 2026-06-25
Reviewer:
Account owner:

## Checks
- [ ] Opened ChatGPT > Settings > Security > Active sessions
- [ ] Confirmed current session
- [ ] Reviewed device/browser labels
- [ ] Reviewed first-party app context
- [ ] Reviewed approximate locations
- [ ] Logged out unfamiliar sessions
- [ ] Reviewed shared links and connected apps separately
- [ ] Rotated API keys if compromise was suspected

## Notes
EOF

Validate a Session Review JSON File

jq -e '
  type == "object" and
  (.date | type == "string") and
  (.reviewer | type == "string") and
  (.sessions | type == "array") and
  all(.sessions[]; has("device") and has("app") and has("decision"))
' chatgpt-session-review.json

Redact Evidence Before Sharing

perl -pe 's/[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}/[redacted-email]/ig; s/sk-[A-Za-z0-9_-]+/[redacted-key]/g' \
  raw-session-notes.txt > redacted-session-notes.txt

Configuration

Account-Level Controls

MFA: OpenAI says MFA applies across OpenAI services, including ChatGPT and the API Platform; methods may include authenticator app, push notification, text message, and passkey depending on availability.
Passkeys: Passkeys can sign in to an account or serve as an MFA method, and may be device-bound or synced depending on provider and platform.
Advanced Account Security: Eligible consumer accounts can require passkeys or security keys, disable password sign-in, disable email and SMS sign-in codes, and use shorter active sessions.
Shared links: Review shared links separately from active sessions because links can expose specific chat content even when session access is clean.
API keys: Rotate keys from the API key dashboard when account compromise or secret exposure is suspected.

Team Policy Defaults

{
  "chatgpt_session_hygiene": {
    "review_frequency": "weekly",
    "compromise_review_frequency": "immediate",
    "required_controls": ["mfa_or_passkey", "password_manager", "api_key_rotation_runbook"],
    "separate_reviews": ["active_sessions", "shared_links", "connected_apps", "api_keys"],
    "evidence_rules": {
      "store_raw_tokens": false,
      "store_passwords": false,
      "redact_emails_for_cross-team_tickets": true
    }
  }
}

Compromise Response Order

Reset the password first if the account uses one and password exposure is plausible.
Use Log out of all sessions from Active sessions.
Enable or re-check MFA, passkeys, or Advanced Account Security where available.
Delete and recreate exposed API keys.
Review account activity, usage, shared links, connected apps, and billing anomalies.
Contact OpenAI Support if unauthorized activity remains suspected.

Pro tip: Do not wait for a quarterly audit. Put Active sessions, shared links, connected apps, and API key review into the same recurring security checklist.

Advanced Usage

Product-Team Patterns

Launch readiness: before public demos, verify that demo accounts have no stale personal devices or unknown browser sessions.
Offboarding: require account owners to clear sessions and transfer ownership of shared assets before access removal.
Incident drills: practice the 30-minute session-revocation window so responders understand propagation expectations.
Admin boundaries: for SSO-managed organizations, route missing Active sessions behavior to the identity/admin workflow rather than assuming the control is broken.
Evidence hygiene: never paste raw session screenshots with emails, locations, API keys, or customer content into broad Slack channels.

Risk Scoring Template

function scoreSession(session) {
  let score = 0;
  if (session.device === 'unknown') score += 3;
  if (session.location === 'unexpected') score += 3;
  if (session.app === 'API Platform') score += 2;
  if (session.trustedDevice === true && session.ownerCannotConfirm) score += 2;
  if (session.currentSession === true) score -= 1;
  return score;
}

const decision = score => score >= 5 ? 'revoke-and-escalate' : score >= 2 ? 'review' : 'keep';

What Not To Infer

Do not infer exact physical location from approximate location data.
Do not treat the absence of a suspicious row as proof that no compromise occurred.
Do not assume MFA enrollment removed existing unauthorized sessions.
Do not assume connected apps, third-party sessions, or Codex CLI sessions are covered by ChatGPT Active sessions.
Do not invent workspace-level MFA enforcement; OpenAI's MFA help states that admins cannot currently enforce MFA at the ChatGPT workspace or API Platform organization level.

ChatGPT Active Sessions Security Cheat Sheet [2026]

Bottom Line

Quick Start

Bottom Line

What Active Sessions Covers

First-Pass Review Checklist

Live Search Filter

Filter Fields Worth Capturing

Keyboard Shortcuts

Commands by Purpose

Open Security Settings

Create a Review Checklist

Validate a Session Review JSON File

Redact Evidence Before Sharing

Configuration

Account-Level Controls

Team Policy Defaults

Compromise Response Order

Advanced Usage

Product-Team Patterns

Risk Scoring Template

What Not To Infer

Frequently Asked Questions

Get Engineering Deep-Dives in Your Inbox

Related Deep-Dives

API Key Rotation Runbook for AI Teams

Passkey and MFA Security Checklist

AI Product Security Review Template