Session management in Shoal — see and revoke your signed-in devices

Every signed-in browser is visible

A messaging account that spreads across phones, tablets, laptops, and a spare hand-me-down in the drawer is harder to keep tidy than it sounds. Shoal handles this by treating each signed-in browser as a session — a named, revocable thing you can see and manage.

Open Settings → Sessions and you get two lists.

Your sessions. Every browser you’ve signed in on, with a friendly label, the last time it was active, and a revoke button. Includes the device you’re using right now (revoking that one signs the current browser out).
Family devices in this family (admin only). The shared tablets and hand-me-down phones nominated as family devices for this family — whoever the admin who set them up was. Any admin can revoke any of these.

Revoke any session from any other device

Tap revoke and the targeted session is gone from the server’s allow-list. From that point on, any request from that browser is refused. If the browser is online when you revoke it — Shoal open, a live conversation on screen — the WebSocket closes immediately with a clear reason, and the next thing the user sees is the sign-in screen. If the browser is offline at the time, the same thing happens the moment it tries to reconnect.

This is the lost-phone story: as long as one of your other devices is still signed in, you can lock the lost one out of the server in three taps from across the country. The credentials on it can’t be used to reach Shoal again, and no more messages will be delivered to it. What revocation doesn’t do is reach across the network and erase what’s already cached on the device — anything the browser had already loaded before you revoked it stays in its local storage until that storage is cleared. If the phone is in someone else’s hands, treat the cached threads the same way you’d treat anything else on it, and wipe the device if you can.

Why this matters for family devices

A family device is owned by the admin who nominated it. They — and any other admin in that family — can sign it out from their own phone if it’s been lost, broken, sold, or just outgrown. Children don’t need a separate password to manage; the admin’s account is the root of trust, and so the admin is the one who can take it back.

For families split across two homes, this is also the answer to the “is the other parent still signed in on the old device?” question. You can see, and you can change it.

How this fits with the rest of Shoal

Sessions sit alongside magic-link sign-in — together they’re the two halves of the account-control story. Magic-link gets you in without a password; sessions give you a clear way out of any device you no longer trust. Neither requires us to read anything you’ve sent.