The Session Management page available under Avatar -> Session Management lists all tokens for any process having interaction with FogBugz or Kiln, including connections made by integrations, webhooks, or through API.
It also allows FogBugz administrators to view and revoke active tokens for their users. Revoking a token will result in immediate access revocation for that session.
Session tokens are created when a user successfully logs into FogBugz in each unique browser, so a user logged into FogBugz with Chrome and Firefox will have a session for each browser. API tokens can be created in the UI by:
- Avatar Menu > User Options > API Tokens > Create API Token button
- Using the FogBugz API commands as described in the Get an API Token using FogBugz API commands article.
FogBugz Administrators can navigate to Avatar Menu > Session Management to remove Session and API Tokens:
- individually - by clicking the red X next to them at the end of the line
- in bulk per user - by clicking the Delete All Tokens next to the user name
- in bulk for all sessions - by clicking the Kill All Sessions button at the top
Note: API tokens created for a given integration are listed under a user name reflecting the integration type (eg: API tokens for Google Drive integrations are listed separately as if it would exist a user named Google Drive).
A Token will get invalidated when:
- logging off in a browser session (only the session token for that browser session is invalidated, other browser session tokens will not be affected).
- a logoff API command is executed with that API token.
- changing the user’s password who created the given API token.
- a FogBugz administrator invalidates that token from this Session Management page.
Tokens are not invalidated when:
- email address is changed.