/impersonate/status - Check current impersonation status

GET /impersonate/status

Checks if the current user has an active impersonation session.

Works with both token types:

Impersonation token: Returns session details from the token
Regular token: Checks Redis for active session and returns a new impersonation token if found

Use case for regular token: After a page refresh, the frontend loses the impersonation token but calls /auth/exchange to get a regular token. This endpoint allows the frontend to check if there's an active impersonation session and receive a new impersonation token to continue the session.

Response when impersonating:

is_impersonating: true
token: New impersonation JWT token (with remaining duration)
expires_in: Remaining seconds until expiration
session_id: Session ID for audit tracking
impersonated_user: Details of the user being impersonated
impersonator: Details of the user doing the impersonation
expires_at: Session expiration timestamp
created_at: Session creation timestamp

Response when not impersonating:

is_impersonating: false

Responses

200 application/json

Status retrieved successfully
Hide response attributes Show response attributes object
- code integer
- message string
  
  Values are currently impersonating or not currently impersonating.
- data object
  
  Hide data attributes Show data attributes object
  
  is_impersonating boolean
  
  Whether the user is currently impersonating someone
  
  token string
  
  Impersonation JWT token (only present when is_impersonating is true)
  
  expires_in integer
  
  Remaining seconds until token expiration (only present when is_impersonating is true)
  
  session_id string
  
  Session ID for audit tracking (only present when is_impersonating is true)
  
  impersonated_user object
  
  Details of the user being impersonated (only present when is_impersonating is true)
  
  Hide impersonated_user attributes Show impersonated_user attributes object
  
  id string
  
  User account ID
  
  logto_id string | null
  
  Logto user ID
  
  username string
  
  Username
  
  email string(email)
  
  Email address
  
  name string
  
  Full name
  
  phone string | null
  
  Phone number
  
  organization object
  
  Organization information (null when not assigned to an organization)
  
  Hide organization attributes Show organization attributes object
  
  id string
  
  Local database organization ID
  
  logto_id string
  
  Logto organization ID
  
  name string
  
  Organization name
  
  roles array[object]
  
  User roles with names
  
  Hide roles attributes Show roles attributes object
  
  id string
  
  Role ID
  
  name string
  
  Role name
  
  custom_data object
  
  Custom user data
  
  Additional properties are allowed.
  
  created_at string(date-time)
  
  Account creation timestamp
  
  updated_at string(date-time)
  
  Last update timestamp
  
  logto_synced_at string(date-time) | null
  
  Last Logto synchronization timestamp
  
  latest_login_at string(date-time) | null
  
  Timestamp of the last successful login via /auth/exchange endpoint. NULL means user has never logged in.
  
  deleted_at string(date-time) | null
  
  Soft delete timestamp (null if not deleted)
  
  suspended_at string(date-time) | null
  
  Suspension timestamp (null if not suspended)
  
  can_be_impersonated boolean
  
  Whether this user can currently be impersonated (only shown for users with impersonation permissions, based on active consent)
  
  impersonator object
  
  Details of the user doing the impersonation (only present when is_impersonating is true)
  
  Hide impersonator attributes Show impersonator attributes object
  
  id string
  
  User account ID
  
  logto_id string | null
  
  Logto user ID
  
  username string
  
  Username
  
  email string(email)
  
  Email address
  
  name string
  
  Full name
  
  phone string | null
  
  Phone number
  
  organization object
  
  Organization information (null when not assigned to an organization)
  
  Hide organization attributes Show organization attributes object
  
  id string
  
  Local database organization ID
  
  logto_id string
  
  Logto organization ID
  
  name string
  
  Organization name
  
  roles array[object]
  
  User roles with names
  
  Hide roles attributes Show roles attributes object
  
  id string
  
  Role ID
  
  name string
  
  Role name
  
  custom_data object
  
  Custom user data
  
  Additional properties are allowed.
  
  created_at string(date-time)
  
  Account creation timestamp
  
  updated_at string(date-time)
  
  Last update timestamp
  
  logto_synced_at string(date-time) | null
  
  Last Logto synchronization timestamp
  
  latest_login_at string(date-time) | null
  
  Timestamp of the last successful login via /auth/exchange endpoint. NULL means user has never logged in.
  
  deleted_at string(date-time) | null
  
  Soft delete timestamp (null if not deleted)
  
  suspended_at string(date-time) | null
  
  Suspension timestamp (null if not suspended)
  
  can_be_impersonated boolean
  
  Whether this user can currently be impersonated (only shown for users with impersonation permissions, based on active consent)
  
  expires_at string(date-time)
  
  Session expiration timestamp (only present when is_impersonating is true)
  
  created_at string(date-time)
  
  Session creation timestamp (only present when is_impersonating is true)
401 application/json

Unauthorized - invalid or missing token
Hide response attributes Show response attributes object
- code integer
- message string
- data object | null
500 application/json

Internal server error (failed to check session or generate token)
Hide response attributes Show response attributes object
- code integer
  
  HTTP error code
- message string
  
  Error message
- data object
  
  Hide data attributes Show data attributes object
  
  type string
  
  Type of error
  
  Values are validation_error or external_api_error.
  
  errors array[object]
  
  Hide errors attributes Show errors attributes object
  
  key string
  
  Field name that failed validation
  
  message string
  
  Error code or message
  
  value string
  
  Value that failed validation
  
  details
  
  Additional error details

GET /impersonate/status

curl \
 --request GET 'https://api.your-domain.com/api/impersonate/status' \
 --header "Authorization: Bearer $ACCESS_TOKEN"

Response examples (200)

{
  "code": 200,
  "data": {
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
    "created_at": "2025-09-29T16:33:59Z",
    "expires_at": "2025-09-29T17:33:59Z",
    "expires_in": 3540,
    "session_id": "d7734c1e-bed3-4350-8992-a5e09d4d253f",
    "impersonator": {
      "id": "c5054f56-3005-43c2-a237-07aa44e1551c",
      "name": "Company Owner",
      "email": "owner@example.com",
      "org_role": "Owner",
      "username": "owner"
    },
    "is_impersonating": true,
    "impersonated_user": {
      "id": "d1e17b87-11ce-4e74-a9f8-34d9638135f1",
      "name": "Edoardo Support",
      "email": "edoardo.spadoni@nethesis.it",
      "org_role": "Reseller",
      "username": "edoardo_spadoni"
    }
  },
  "message": "currently impersonating"
}

{
  "code": 200,
  "data": {
    "is_impersonating": false
  },
  "message": "not currently impersonating"
}

Response examples (401)

{
  "code": 401,
  "message": "invalid token",
  "data": {}
}

Response examples (500)

{
  "code": 500,
  "message": "failed to check impersonation status"
}

{
  "code": 500,
  "message": "failed to generate impersonation token"
}