Hi @mgerar the _Session class is not managed in the same way as other classes by Parse Server.
You can see a public configuration, public read and write. But it’s not the case.
Only connected user can query the Session. Each session is always protected by ACL with the user. So a user can only query his own sessions.
A user can create a new session but only for itself and he can’t set the session token ( but he can set some additional fields if you added some additional fields on the session class)
The default configuration is safe, the parse dashboard could lead to a misunderstanding 