diff --git a/API.md b/API.md
index bbd38b9..a8e5852 100644
--- a/API.md
+++ b/API.md
@@ -166,7 +166,7 @@ This API is used to create new user app record and if the request is successful
 | Resource / HTTP method       | POST (create)      | GET (read)     | PUT (update)   | DELETE (delete) |
 | ---------------------------- | ------------------ | -------------- | -------------- | --------------- |
 | /v1/session/token/{token}    | Create new session | Get sessions   | Error          | Error           |
-| /v1/session/session/:session | Error              | Get session    | Error??        | Error??         |
+| /v1/session/session/:session | Error              | Get session    | Error          | Error           |
 
 
 
@@ -409,19 +409,3 @@ Or you can provide multiple keys at once:
 ```
 bunker unlock key1 key2 key3
 ```
-
-### View lock status
-
-```
-bunker status | jq .lock
-```
-
-Result:
-
-```
-locked
-```
-
-
-## Audit API
-
diff --git a/src/sessions_api.go b/src/sessions_api.go
index 45ff368..cb4fbe0 100644
--- a/src/sessions_api.go
+++ b/src/sessions_api.go
@@ -35,6 +35,9 @@ func (e mainEnv) newSession(w http.ResponseWriter, r *http.Request, ps httproute
 		if userBson != nil {
 			userTOKEN = userBson["token"].(string)
 			event.Record = userTOKEN
+		} else {
+			returnError(w, r, "internal error", 405, nil, event)
+			return
 		}
 	}
 	expiration := ""
@@ -70,3 +73,66 @@ func (e mainEnv) newSession(w http.ResponseWriter, r *http.Request, ps httproute
 	fmt.Fprintf(w, `{"status":"ok","session":"%s"}`, sessionID)
 	return
 }
+
+func (e mainEnv) getUserSessions(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
+	address := ps.ByName("address")
+	mode := ps.ByName("mode")
+	event := audit("get all user sessions", address, mode, address)
+	defer func() { event.submit(e.db) }()
+
+	if e.enforceAuth(w, r, event) == false {
+		return
+	}
+	userTOKEN := ""
+	if mode == "token" {
+		if enforceUUID(w, address, event) == false {
+			return
+		}
+		userBson, _ := e.db.lookupUserRecord(address)
+		if userBson == nil {
+			// if token not found, exit from here
+			return
+		}
+		userTOKEN = address
+	} else {
+		// TODO: decode url in code!
+		userBson, _ := e.db.lookupUserRecordByIndex(mode, address, e.conf)
+		if userBson != nil {
+			userTOKEN = userBson["token"].(string)
+			event.Record = userTOKEN
+		} else {
+			returnError(w, r, "internal error", 405, nil, event)
+			return
+		}
+	}
+	records, count, err := e.db.getUserSessionByToken(userTOKEN)
+	if err != nil {
+		returnError(w, r, "internal error", 405, err, event)
+		return
+	}
+	resultJSON, err := json.Marshal(records)
+	w.Header().Set("Content-Type", "application/json; charset=utf-8")
+	w.WriteHeader(200)
+	fmt.Fprintf(w, `{"status":"ok","count":"%d","rows":"%"}`, count, resultJSON)
+	return
+}
+
+func (e mainEnv) getSession(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
+	session := ps.ByName("session")
+	event := audit("get session", session, "session", session)
+	defer func() { event.submit(e.db) }()
+
+	if e.enforceAuth(w, r, event) == false {
+		return
+	}
+	record, userTOKEN, err := e.db.getUserSession(session)
+	if err != nil {
+		returnError(w, r, "internal error", 405, err, event)
+		return
+	}
+	event.Record = userTOKEN
+	w.Header().Set("Content-Type", "application/json; charset=utf-8")
+	w.WriteHeader(200)
+	fmt.Fprintf(w, `{"status":"ok","session":"%s","data":"%"}`, session, record)
+	return
+}
diff --git a/src/sessions_db.go b/src/sessions_db.go
index 43a6812..1e50494 100644
--- a/src/sessions_db.go
+++ b/src/sessions_db.go
@@ -45,23 +45,26 @@ func (dbobj dbcon) createSessionRecord(userTOKEN string, expiration string, data
 	return tokenUUID, nil
 }
 
-func (dbobj dbcon) getUserSession(sessionUUID string) ([]byte, error) {
+func (dbobj dbcon) getUserSession(sessionUUID string) ([]byte, string, error) {
 	record, err := dbobj.getRecord(TblName.Sessions, "session", sessionUUID)
-	if record == nil || err != nil {
-		return nil, errors.New("failed to authenticate")
+	if err != nil {
+		return nil, "", err
+	}
+	if record == nil {
+		return nil, "", errors.New("not found")
 	}
 	// check expiration
 	now := int32(time.Now().Unix())
 	if now > record["endtime"].(int32) {
-		return nil, errors.New("session expired")
+		return nil, "", errors.New("session expired")
 	}
 	userTOKEN := record["token"].(string)
 	encData0 := record["data"].(string)
 	decrypted, err := dbobj.userDecrypt(userTOKEN, encData0)
 	if err != nil {
-		return nil, err
+		return nil, "", err
 	}
-	return decrypted, err
+	return decrypted, userTOKEN, err
 }
 
 func (dbobj dbcon) getUserSessionByToken(userTOKEN string) ([]*sessionEvent, int64, error) {
diff --git a/src/users_db.go b/src/users_db.go
index 89b8f9c..06f883c 100644
--- a/src/users_db.go
+++ b/src/users_db.go
@@ -386,7 +386,7 @@ func (dbobj dbcon) userEncrypt(userTOKEN string, data []byte) (string, error) {
 	if err != nil {
 		return "", err
 	}
-	// encrypt meta
+	// encrypt data
 	encoded, err := encrypt(dbobj.masterKey, recordKey, data)
 	if err != nil {
 		return "", err