Simon Carter
Security & Governance

ChatGPT's Active Sessions Feature Lets You See and Control Every Logged-In Device

OpenAI's new Active Sessions security feature lets ChatGPT users audit all signed-in sessions and remotely log out of ones they don't recognise.

security governance category

OpenAI has quietly shipped a genuinely useful security feature for ChatGPT: Active Sessions. It lives in your account’s security settings and gives you a clear view of every signed-in session tied to your account, with the ability to log out of any of them remotely. For most people, this is the kind of feature you hope you never need, but you’ll be glad it’s there when you do.

What Active Sessions Actually Shows You

Head to Settings > Security > Active Sessions in ChatGPT and you’ll find a list of sessions currently associated with your account. For each one, ChatGPT surfaces as much detail as it has available:

  • App context — whether the session is linked to ChatGPT, Codex, or the API Platform
  • Approximate location — based on IP, so don’t expect pinpoint accuracy
  • Sign-in date and time
  • Trusted device status — whether that device has been marked as trusted on your account
  • Current session indicator — one row will be labelled CURRENT SESSION, so you know which one you’re on right now

OpenAI is upfront that session details can be approximate or incomplete. A single browser row might represent activity across multiple first-party OpenAI products, so don’t read too much into any one entry.

How to Log Out of Sessions

If something looks unfamiliar, you have two options. You can log out of individual sessions by selecting the relevant row, or you can use Log out of all sessions to sweep everything in one go, including your current session.

A couple of practical notes worth knowing. If a row doesn’t have a log out button, it’s either your current session (which you’d need to end by signing out of ChatGPT directly) or the session status is unavailable. In the latter case, the “log out of all sessions” option is your best fallback.

Also, remote log-outs are not instant. OpenAI says it can take up to 30 minutes for other sessions to be fully terminated after you initiate a sign-out. If a row lingers after you’ve logged it out, give it time, refresh the page, or use the nuclear option of logging out everywhere.

What Active Sessions Does Not Cover

This is the part worth reading carefully, because the scope is more limited than the name implies.

Active Sessions only manages first-party OpenAI sessions. It does not show or let you manage:

  • Third-party app sessions connected to your OpenAI account
  • Sign in with ChatGPT sessions used exclusively for third-party services
  • Connected apps
  • Codex CLI sessions — notably absent even though standard Codex sessions do appear

If you’ve authorised third-party tools or services through your OpenAI account, those connections are managed separately and won’t appear here.

The SSO Exception

There’s one significant limitation for people in managed work environments. Active Sessions is not available for accounts linked to an organisation’s SSO sign-in, covering both SAML and OIDC setups. This applies even if your organisation doesn’t enforce SSO for every sign-in, or if you happened to use a different sign-in method for your current session. If Active Sessions doesn’t show up in your Security settings at all, this SSO restriction is the most likely reason.

Where This Sits in OpenAI’s Broader Security Push

Active Sessions doesn’t exist in isolation. OpenAI has been adding a meaningful set of account security controls over recent months.

The companion feature, Advanced Account Security, is an opt-in setting designed for users at higher risk of targeted attacks. It disables password-based login entirely, requires passkeys or physical security keys for sign-in, replaces email and SMS recovery with backup passkeys and recovery keys, and shortens active session lengths to reduce exposure if a device or session is compromised. With that feature enabled, Active Sessions becomes part of a more complete picture: you get better sign-in protection up front, and better visibility and control over what’s already signed in.

Lockdown Mode, a separate feature that restricts how far ChatGPT can reach into external services and the web, started rolling out to Enterprise plans in February and began reaching personal and self-serve business accounts in early June.

Together, these features represent a more serious approach to account security than ChatGPT has historically offered.

What This Means for You

For personal accounts, Active Sessions is a low-effort way to sanity-check where you’re logged in. If you use ChatGPT across multiple devices, browsers, or apps, it’s worth a quick look just to clear out any sessions from old devices or browsers you no longer use.

For teams and organisations using ChatGPT’s business or enterprise tiers, the practical value is similar but the stakes are higher. Being able to verify that only expected sessions are active, and to act quickly if something looks off, is a basic security hygiene capability that many enterprise tools have offered for years. It’s good to see it arrive here.

The SSO limitation is the main friction point for managed accounts. If your organisation uses SAML or OIDC, session management will remain the responsibility of your identity provider for now, and Active Sessions simply won’t appear for those users.

For everyone else, it’s available now across all ChatGPT account types. It takes about 30 seconds to check and could save you a significant headache if your account credentials ever end up somewhere they shouldn’t.

You can find the full details in OpenAI’s help article on managing active sessions.