Security
OpenAI Active Sessions Give ChatGPT Users a Security Control Plane
Published June 03, 2026 by Dillip Chowdary
Why It Matters
OpenAI added Active sessions controls on June 2, 2026, giving users a way to review first-party sessions associated with their account and sign out of sessions they do not recognize. The details include device, app, approximate location, sign-in time, trusted-device status, and whether the session is current. For teams using ChatGPT, Codex, and the API Platform, this is a practical account-takeover control rather than a cosmetic settings page.
Architecture Impact
The update treats session visibility as a cross-product primitive. OpenAI says Active sessions can show known sessions from ChatGPT, Codex, and API Platform where available, while excluding third-party apps, connected apps, Sign in with ChatGPT sessions used only for third-party services, and Codex CLI sessions. That boundary matters because administrators should not assume one settings view covers every delegated access path.
Operational Playbook
Security teams should add session review to onboarding, offboarding, and incident response runbooks. A suspicious session should trigger password rotation, passkey review, connected-app review, and inspection of recent Codex or API activity. For developers, the practical habit is simple: review active sessions after using shared machines, temporary workstations, or public networks, then terminate anything stale.
Builder Takeaway
The larger signal is that AI workspaces are becoming high-value identity surfaces. Agents can read files, summarize private context, and operate across projects, so session hygiene now belongs beside MFA, recovery keys, device trust, and workspace audit logs.