The api-session’s ip address can change a number of times but zrok does not update it.
It keeps using the initial old value.
Ex:
curl -s -H "zt-session: $TOKEN" https://ziti.ctr:port/edge/management/v1/api-sessions?limit=-1 | jq -c '.data | sort_by(.identityId,.lastActivityAt)[] | [.identityId,.lastActivityAt,.ipAddress,.id]'
With your filter, I can see the source IP address of the identity that requested the API session.
ziti edge list api-sessions --output-json \
| jq -c '
.data
| sort_by(.identityId,.lastActivityAt)[]
| [.identityId,.lastActivityAt,.ipAddress,.id]
'
You’re saying that an identity’s outgoing IP address may change during an API session. Still, the API session always shows the first outgoing (source) IP address from which it received the API session request, correct?
Yes, exactly. The API shows the outdated IP address.
Or for two different api-sessions you can get two different ip addresses for the same identityId (envZId).
The way it’s behaving seems legitimate to me. I didn’t expect the API session’s originating IP address to reflect the most recent address. Still, I have not had a need for the information, either, until now.
Others may disagree. There’s room for interpretation and opinion, I suppose. Will you say a little more about how you would use the IP address if it updated automatically? It may be doable, but we should give it some thought because others using the current behavior could have a problem if it changes.
Can you clarify what you mean, please?
Where I can find the user’s IP address? So I simply run the following to find out the user’s IP address.
$ ziti edge list api-sessions 'limit none' -j | jq -c '.data | sort_by(.identityId,.lastActivityAt)[] | [.identityId,.id,.lastActivityAt,.createdAt,.ipAddress]'
["envId","cmdyh7fk02x9tcqiga195zr03","2025-08-05T15:39:09.815Z","2025-08-05T11:48:50.688Z","XXX.XXX.XXX.252"]
["envId","cmdyjzn3930wncqigg07w0er0","2025-08-05T15:39:58.366Z","2025-08-05T13:06:46.058Z","XXX.XXX.XXX.141"]
The IP recorded in the session is the one that was used to create the session. The actual session is independent, so if you moved from a wired to WiFi system and your IP changed, it would not be reflected.
In recent versions, there is a connection log that can be emitted. That will list all connections and the source ID which will be the identity ID in this case. Since the endpoints connect frequently to do service checks, etc. this should be highly accurate, within about 10 seconds assuming default configurations.
In the controller, you would need a configuration block similar to this example (note the type: connect statement, that’s the real key):
events:
eventsLogger:
subscriptions: