---
title: Managing sessions and tokens on Android
description: PingOne Advanced Identity Cloud PingAM Android
component: orchsdks
page_id: orchsdks:journey:usage/android/06-handling-sessions
canonical_url: https://developer.pingidentity.com/orchsdks/journey/usage/android/06-handling-sessions.html
revdate: Tue, 2 Dec 2025 16:32:08 +0000
section_ids:
  getting_a_user_object_and_session_token: Getting a user object and session token
  signing_users_out: Signing users out
  managing_oidc_tokens: Managing OIDC tokens
  example: Example
---

# Managing sessions and tokens on Android

[icon: circle-check, set=far]PingOne Advanced Identity Cloud [icon: circle-check, set=far]PingAM [icon: android, set=fab]Android

* [Prepare](01-configuring-the-server.html)

* [Install](02-installing-the-journey-module.html)

* [Configure](03-configuring-the-journey-module.html)

* [Start](04-starting-an-authentication-journey.html)

* [Navigate](05-navigating-an-authentication-journey.html)

* **Manage**

After a user successfully authenticates, you can manage their session and associated tokens.

This section covers how to obtain a user object and session token, sign the user out, and manage OpenID Connect (OIDC) tokens, including retrieving, refreshing, and revoking them.

## Getting a user object and session token

After successfully navigating a journey you can use the `journey.user()` method to get an object that represents the authenticated user.

With the `user` object, you can call `user.session()` to obtain details about the session token.

Getting the user and session token on Android

```kotlin
val node = journey.start() // Initiate the authentication flow

when (node) {
    is ContinueNode -> {/* ... */}
    is FailureNode -> {/* ... */}
    is ErrorNode -> {/* ... */}

    is SuccessNode -> {
        // Checking the user object
        val user: User? = journey.user()
        // Retrieve the session token, if available
        val ssoToken: SSOToken = user.session()
    }
}
```

The `SSOToken` object contains the following properties:

* `value`

  The session token string itself.

  For example, `nlw0pDx5TBk3Rvq7T5tjJYI.*AAJTSQACMDIAAE1TkyMWVhTLABwyajjliTTAydzg9AARWZW9lZU5yd1FeXBlAANDVFMAAlMxIwMQ..*`

* `successUrl`

  The URL a user could be redirected to after authentication, such as their profile page.

  For example, `/enduser/?realm=/alpha`

* `realm`

  The realm of the authenticated user.

  For example, `/alpha`

## Signing users out

To sign a user out of the server, call the `logout()` method on the `user` object:

Signing users out on Android

```kotlin
user?.logout()
```

This clears the user's session, both locally and on the server, and revokes any associated OIDC tokens.

## Managing OIDC tokens

If you integrated the **OIDC** module with the **Journey**, you can interact with the issued OpenID Connect tokens, such as obtaining data from the user info endpoint, or revoking the access token.

* Retrieving an access token

  Use the `user.token()` method to obtain an OIDC access token on behalf of the user.

* Obtaining user info

  Use the `user.userInfo()` method to call the OIDC `/oauth2/userinfo` endpoint with the access token to retrieve details of the relevant user account.

  The response contains values such as first and last name, and other details:

  ```json
  {
    "name": "Babs Jensen",
    "family_name": "Jensen",
    "given_name": "Babs",
    "sub": "a0325ea4-9d9b-4056-931b-ab64704cc3da",
    "subname": "a0325ea4-9d9b-4056-931b-ab64704cc3da"
  }
  ```

* Refreshing an access token

  The **OIDC** module automatically refreshes access tokens if required, but you can also manually refresh them by using the `user.refresh()` method.

* Revoking an access token

  Use the `user.revoke()` method to invalidate an access token and delete it from local storage.

  |   |                                                                                                          |
  | - | -------------------------------------------------------------------------------------------------------- |
  |   | You can also use the `user.logout()` method to revoke OIDC tokens, as well as the user's session tokens. |

## Example

The following code shows how to get a user object followed by their SSO token.

The code then calls each of the methods provided by the `user` object, such as obtaining and refreshing access tokens, getting user info, and revoking the tokens.

The code then shows how to sign the user out of the server, which terminates the session on the server, revokes associated tokens, and clears any related tokens from client storage:

Managing OpenID Connect tokens with the OIDC module integrated

```kotlin
val node = journey.start() // Initiate the authentication flow

when (node) {
    is ContinueNode -> {/* ... */}
    is FailureNode -> {/* ... */}
    is ErrorNode -> {/* ... */}
    is SuccessNode -> {
        // Checking the user object
        val user: User? = journey.user()
        // Retrieve the session token, if available
        val ssoToken: SSOToken? = user?.session()

        user?.let {
            // Retrieve the current access token
            val accessToken = (it.token() as Result.Success).value

            // Fetch user information using the access token (if valid)
            val userInfo = (it.userinfo() as Result.Success).value

            // Use a refresh token to renew the access token, if available
            it.refresh()

            // Revoke the current access and refresh tokens
            it.revoke()

            // Initiate the logout process
            // Also clears local session data
            it.logout()
        }
    }
}
```