3 Ways to Log Users Out of All Sessions in Google Workspace

Need to sign everyone out of Google Workspace, fast? Whether you’re handling a security incident, offboarding at scale, or tightening compliance, org-wide sign-outs help cut risk by killing active sessions across web, mobile, and desktop apps.

In this guide, you’ll learn three reliable ways to force logouts across your domain: using the Admin console, automating with the Admin SDK, and enforcing device-level sign-outs. We’ll note prerequisites, scope, and what users will see.

Table of Contents

• Use Google Workspace's UI
• Use Torii
• Use Google Workspace's API

Use Google Workspace’s UI

Here, you’ll use the Google Admin console to force a user to sign out everywhere. This is the standard method Google documents for cutting off active sessions fast.

Open the user in the Admin console

• Sign in to admin.google.com with an admin role that can manage users.
• Go to Menu > Directory > Users.
• Find the user by name or email, then click their name to open the account page.

Go to the user’s Security settings

• On the user’s page, click Security.
• If you don’t see Security, click Show more to expand the sections.

Reset sign-in cookies to sign the user out

• In Security, find Reset sign-in cookies or Sign out of all sessions.
• Click Reset or Sign out, then confirm.

What this does:

• Signs the user out of active Google sessions in web browsers and Google apps that use those sessions.
• Forces new sign-in the next time they open Gmail, Drive, Calendar, and other Google services.
• Usually takes effect within a few minutes.

If the user has managed mobile devices, remove the work account

• In the Admin console, go to Menu > Devices > Mobile & endpoints > Devices.
• Search for the user’s device. Open each device you need to act on.
• Click Actions, then choose Wipe account. Confirm the prompt.

Good to know:

• Wipe account removes the Google Workspace account and its data from the device and signs the user out.
• Do not choose Wipe device unless you intend to factory reset the device.

Verify the sign-out

• Ask the user to open Gmail or Drive in a browser. They should be prompted to sign in again.
• If needed, refresh the Admin console and check the user’s recent login activity under Security to confirm new sign-ins happen after the reset time.

Notes from Google’s docs:

• Google calls the main sign-out action Reset sign-in cookies on a user’s Security page.
• For mobile devices, Google documents Wipe account under Mobile & endpoints to remove the work profile and sign the user out.

Use Torii

Instead of acting directly in Google Workspace, you can leverage Torii, a SaaS Management Platform, to sign user out of all sessions in Google Workspace. SMPs centralize control of your SaaS stack-subscriptions, integrations, and user lifecycle-so you can programmatically onboard/offboard, review subscription details, and more.

Where Google Workspace requires a manual step, Torii lets you automate it. Define a workflow that runs whenever specific events occur-new hire, employee departure, contract renewal, and similar triggers-so the sign-out action runs without intervention, saving time when this task recurs.

To sign user out of all sessions in Google Workspace directly from Torii, do the following:

1. Sign up for Torii

Contact Torii, and request your free two-week proof-of-concept.

2. Connect your Google Workspace account to Torii

After your Torii account is active, connect Google Workspace to Torii (assuming you already have an account). Here are the instructions for the Google Workspace integration.

3. Create a Torii workflow for Google Workspace

In Torii, set up automated workflows to sign user out of all sessions in Google Workspace. Open the Workflows tab, choose your trigger, and add an action that signs the user out of all sessions in Google Workspace. From then on, whenever the trigger fires, Google Workspace will be updated automatically.

Use Google Workspace’s API

Here, you’ll call the Admin SDK Directory API users.signOut method to end a user’s active sessions across web and devices.

Step 1: Authorize with the right scope

You need an OAuth 2.0 access token that includes this scope: https://www.googleapis.com/auth/admin.directory.user.security. The caller must be a super admin or a service account with domain-wide delegation impersonating a super admin.

• Key points:
  • Use the Admin SDK Directory API.
• Scope required:
  • https://www.googleapis.com/auth/admin.directory.user.security
• Caller identity:
  • Super admin account, or
  • Service account with domain-wide delegation, impersonating a super admin

If you’re using a service account with domain-wide delegation, you’ll impersonate an admin when building credentials in code.

Python example to create delegated credentials with the required scope:

from google.oauth2 import service_account
from googleapiclient.discovery import build
from google.auth.transport.requests import Request

SCOPES = ["https://www.googleapis.com/auth/admin.directory.user.security"]
SERVICE_ACCOUNT_FILE = "service-account.json"
ADMIN_SUBJECT = "[email protected]"
creds = service_account.Credentials.from_service_account_file(
SERVICE_ACCOUNT_FILE, scopes=SCOPES
)
delegated_creds = creds.with_subject(ADMIN_SUBJECT)

# Optionally refresh to ensure a valid access token is present
delegated_creds.refresh(Request())
print(delegated_creds.token) # Use this token in curl if you prefer raw HTTP

Step 2: Call users.signOut for the target user

The API method is Users.signOut.

• HTTP method and endpoint:
  • POST https://admin.googleapis.com/admin/directory/v1/users/{userKey}/signOut
• Path parameter:
  • UserKey can be the user’s primary email or unique user ID
• Headers:
  • Authorization: Bearer ACCESS_TOKEN
  • Content-Length: 0

Example curl is:

curl -X POST \
-H "Authorization: Bearer ACCESS_TOKEN" \
-H "Content-Length: 0" \
"https://admin.googleapis.com/admin/directory/v1/users/[email protected]/signOut"

What happens:

• The user is signed out of current Google sessions across web and supported devices.
• No request body is required.

Step 3: Call it with a client library (Python)

If you prefer the client library, here’s the same call using google-api-python-client with delegated credentials.

from google.oauth2 import service_account
from googleapiclient.discovery import build

SCOPES = ["https://www.googleapis.com/auth/admin.directory.user.security"]
SERVICE_ACCOUNT_FILE = "service-account.json"
ADMIN_SUBJECT = "[email protected]"
USER_KEY = "[email protected]"
creds = service_account.Credentials.from_service_account_file(
SERVICE_ACCOUNT_FILE, scopes=SCOPES
)
delegated_creds = creds.with_subject(ADMIN_SUBJECT)
service = build("admin", "directory_v1", credentials=delegated_creds)
service.users().signOut(userKey=USER_KEY).execute()
print("Sign-out initiated.")

Step 4: Handle responses and common errors

• Success:
  • HTTP 204 No Content
• Common errors:
  • 400: Invalid userKey format
  • 403: Missing scope or caller is not authorized
  • 404: User not found in the domain
  • 429/503: Rate limits or transient errors, retry with backoff

Step 5: Practical notes

• Effect is not always instant. It can take a short time to propagate across sessions and devices.
• This ends sessions. It does not change the user’s password or wipe devices. For devices, use device management APIs if needed later.