Identity actions
Sentinel's identity endpoints let you take immediate action on compromised or high-risk accounts — disabling accounts, revoking all sessions, and enforcing MFA re-challenge across connected identity providers.
Disable an account
bash
POST /v1/sentinel/identity/:userId/disable| Name | Type | Required | Description |
|---|---|---|---|
| reason | string | Yes | Why the account is being disabled. Logged permanently. |
| incident_id | string | No | Associate with an open incident. |
bash
curl -X POST https://api.hldgroup.org/v1/sentinel/identity/idn_01hxyz/disable \
-H "Authorization: Bearer hld_live_xxxx" \
-H "Content-Type: application/json" \
-d '{"reason": "Account compromise confirmed. Disabling pending investigation.", "incident_id": "inc_01hxyz"}'Warning:Disabling an account immediately revokes access across all connected identity providers (Azure AD, Okta, Google Workspace). Notify the user via out-of-band communication before disabling in non-incident scenarios.
Revoke all sessions
bash
POST /v1/sentinel/identity/:userId/revoke-sessions| Name | Type | Required | Description |
|---|---|---|---|
| reason | string | No | Optional reason for the audit trail. |
| incident_id | string | No | Associate with an open incident. |
Invalidates all active sessions immediately across all devices and applications. The user must re-authenticate from scratch.
Force MFA re-challenge
bash
POST /v1/sentinel/identity/:userId/force-mfaMarks the user's session as requiring MFA re-verification on their next request. Effective for suspicious login events where you want to re-verify identity without full account lockout.
json
{
"data": {
"action": { /* action object */ },
"mfa_challenge_required_from": "2025-06-01T03:14:00Z"
}
}Combining actions
For high-severity identity compromise, combine actions for maximum containment — disable the account AND revoke sessions:
typescript
const userId = 'idn_01hxyz'
const incidentId = 'inc_01hxyz'
const reason = 'Active credential attack confirmed.'
await Promise.all([
fetch(`/v1/sentinel/identity/${userId}/disable`, {
method: 'POST',
body: JSON.stringify({ reason, incident_id: incidentId }),
}),
fetch(`/v1/sentinel/identity/${userId}/revoke-sessions`, {
method: 'POST',
body: JSON.stringify({ reason, incident_id: incidentId }),
}),
])