diff --git a/alembic/versions/0023_privacy_pm_level.py b/alembic/versions/0023_privacy_pm_level.py
new file mode 100644
index 0000000..be9586c
--- /dev/null
+++ b/alembic/versions/0023_privacy_pm_level.py
@@ -0,0 +1,38 @@
+"""add privacy private messages level
+
+Revision ID: 0023_privacy_pm_level
+Revises: 0022_user_access_revoked_before
+Create Date: 2026-03-09 00:40:00.000000
+"""
+
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+
+
+revision: str = "0023_privacy_pm_level"
+down_revision: Union[str, Sequence[str], None] = "0022_user_access_revoked_before"
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    op.add_column(
+        "users",
+        sa.Column("privacy_private_messages", sa.String(length=16), nullable=False, server_default=sa.text("'everyone'")),
+    )
+    op.execute(
+        sa.text(
+            "UPDATE users "
+            "SET privacy_private_messages = CASE "
+            "WHEN allow_private_messages IS TRUE THEN 'everyone' "
+            "ELSE 'nobody' "
+            "END"
+        )
+    )
+
+
+def downgrade() -> None:
+    op.drop_column("users", "privacy_private_messages")
+
diff --git a/app/auth/router.py b/app/auth/router.py
index ec89606..0487ede 100644
--- a/app/auth/router.py
+++ b/app/auth/router.py
@@ -23,6 +23,7 @@ from app.auth.service import (
     disable_twofa,
     enable_twofa,
     get_current_user,
+    get_access_session_info,
     get_email_sender,
     get_request_metadata,
     login_user,
@@ -37,6 +38,7 @@ from app.auth.service import (
     reset_password,
     setup_twofa,
     verify_email,
+    oauth2_scheme,
 )
 from app.database.session import get_db
 from app.email.service import EmailService
@@ -147,7 +149,10 @@ async def me(current_user: User = Depends(get_current_user)) -> AuthUserResponse
 
 
 @router.get("/sessions", response_model=list[SessionRead])
-async def list_sessions(current_user: User = Depends(get_current_user)) -> list[SessionRead]:
+async def list_sessions(
+    current_user: User = Depends(get_current_user),
+    access_token: str = Depends(oauth2_scheme),
+) -> list[SessionRead]:
     sessions = await list_user_sessions(current_user.id)
     out: list[SessionRead] = []
     for item in sessions:
@@ -157,8 +162,23 @@ async def list_sessions(current_user: User = Depends(get_current_user)) -> list[
                 created_at=datetime.fromtimestamp(item.created_at, tz=timezone.utc),
                 ip_address=item.ip_address,
                 user_agent=item.user_agent,
+                current=False,
+                token_type="refresh",
             )
         )
+    access_session = get_access_session_info(access_token)
+    if access_session and all(item.jti != access_session[0] for item in out):
+        out.insert(
+            0,
+            SessionRead(
+                jti=access_session[0],
+                created_at=access_session[1],
+                ip_address=None,
+                user_agent="Current access token",
+                current=True,
+                token_type="access",
+            ),
+        )
     return out
 
 
diff --git a/app/auth/schemas.py b/app/auth/schemas.py
index 7781f6e..86b2864 100644
--- a/app/auth/schemas.py
+++ b/app/auth/schemas.py
@@ -1,7 +1,7 @@
 from datetime import datetime
 
 from pydantic import BaseModel, ConfigDict, EmailStr, Field
-from app.users.schemas import GroupInvitePrivacyLevel, PrivacyLevel
+from app.users.schemas import GroupInvitePrivacyLevel, PrivacyLevel, PrivateMessagesPrivacyLevel
 
 
 class RegisterRequest(BaseModel):
@@ -60,6 +60,7 @@ class AuthUserResponse(BaseModel):
     email_verified: bool
     twofa_enabled: bool
     allow_private_messages: bool = True
+    privacy_private_messages: PrivateMessagesPrivacyLevel = "everyone"
     privacy_last_seen: PrivacyLevel = "everyone"
     privacy_avatar: PrivacyLevel = "everyone"
     privacy_group_invites: GroupInvitePrivacyLevel = "everyone"
@@ -72,6 +73,8 @@ class SessionRead(BaseModel):
     created_at: datetime
     ip_address: str | None = None
     user_agent: str | None = None
+    current: bool = False
+    token_type: str = "refresh"
 
 
 class TwoFactorSetupRead(BaseModel):
diff --git a/app/auth/service.py b/app/auth/service.py
index d564e86..901ee5b 100644
--- a/app/auth/service.py
+++ b/app/auth/service.py
@@ -244,6 +244,20 @@ def get_request_metadata(request: Request) -> tuple[str | None, str | None]:
     return ip_address, user_agent
 
 
+def get_access_session_info(token: str) -> tuple[str, datetime] | None:
+    try:
+        payload = decode_token(token)
+    except ValueError:
+        return None
+    if payload.get("type") != "access":
+        return None
+    jti = payload.get("jti")
+    if not isinstance(jti, str) or not jti:
+        return None
+    issued_at = _token_issued_at(payload) or datetime.now(timezone.utc)
+    return jti, issued_at
+
+
 async def setup_twofa(db: AsyncSession, user: User) -> tuple[str, str]:
     if user.twofa_enabled and user.twofa_secret:
         secret = user.twofa_secret
diff --git a/app/chats/service.py b/app/chats/service.py
index c7ff190..9e2cf17 100644
--- a/app/chats/service.py
+++ b/app/chats/service.py
@@ -29,6 +29,7 @@ from app.messages.repository import (
 )
 from app.realtime.presence import get_users_online_map
 from app.users.repository import get_user_by_id, has_block_relation_between_users, is_user_in_contacts
+from app.users.service import can_user_receive_private_messages
 
 
 async def _can_view_last_seen(*, db: AsyncSession, target_user, viewer_user_id: int) -> bool:
@@ -177,7 +178,7 @@ async def create_chat_for_user(db: AsyncSession, *, creator_id: int, payload: Ch
         )
     if payload.type == ChatType.PRIVATE:
         target_user = await get_user_by_id(db, member_ids[0])
-        if target_user and not target_user.allow_private_messages:
+        if target_user and not await can_user_receive_private_messages(db, target_user=target_user, actor_user_id=creator_id):
             raise HTTPException(
                 status_code=status.HTTP_403_FORBIDDEN,
                 detail="User does not accept private messages",
diff --git a/app/messages/service.py b/app/messages/service.py
index 7029a8e..34e56ec 100644
--- a/app/messages/service.py
+++ b/app/messages/service.py
@@ -23,7 +23,7 @@ from app.messages.schemas import (
 )
 from app.notifications.service import dispatch_message_notifications
 from app.users.repository import has_block_relation_between_users
-from app.users.service import get_user_by_id
+from app.users.service import can_user_receive_private_messages, get_user_by_id
 
 
 async def create_chat_message(db: AsyncSession, *, sender_id: int, payload: MessageCreateRequest) -> Message:
@@ -42,7 +42,7 @@ async def create_chat_message(db: AsyncSession, *, sender_id: int, payload: Mess
             raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Cannot send message due to block settings")
         if counterpart_id:
             counterpart = await get_user_by_id(db, counterpart_id)
-            if counterpart and not counterpart.allow_private_messages:
+            if counterpart and not await can_user_receive_private_messages(db, target_user=counterpart, actor_user_id=sender_id):
                 raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="User does not accept private messages")
     if payload.reply_to_message_id is not None:
         reply_to = await repository.get_message_by_id(db, payload.reply_to_message_id)
diff --git a/app/users/models.py b/app/users/models.py
index f334f8e..2f353c6 100644
--- a/app/users/models.py
+++ b/app/users/models.py
@@ -24,6 +24,7 @@ class User(Base):
     bio: Mapped[str | None] = mapped_column(String(500), nullable=True)
     email_verified: Mapped[bool] = mapped_column(Boolean, default=False, nullable=False, index=True)
     allow_private_messages: Mapped[bool] = mapped_column(Boolean, default=True, nullable=False, server_default="true")
+    privacy_private_messages: Mapped[str] = mapped_column(String(16), nullable=False, default="everyone", server_default="everyone")
     privacy_last_seen: Mapped[str] = mapped_column(String(16), nullable=False, default="everyone", server_default="everyone")
     privacy_avatar: Mapped[str] = mapped_column(String(16), nullable=False, default="everyone", server_default="everyone")
     privacy_group_invites: Mapped[str] = mapped_column(String(16), nullable=False, default="everyone", server_default="everyone")
diff --git a/app/users/router.py b/app/users/router.py
index f7bd6a3..643514a 100644
--- a/app/users/router.py
+++ b/app/users/router.py
@@ -67,6 +67,7 @@ async def update_profile(
         bio=payload.bio,
         avatar_url=payload.avatar_url,
         allow_private_messages=payload.allow_private_messages,
+        privacy_private_messages=payload.privacy_private_messages,
         privacy_last_seen=payload.privacy_last_seen,
         privacy_avatar=payload.privacy_avatar,
         privacy_group_invites=payload.privacy_group_invites,
diff --git a/app/users/schemas.py b/app/users/schemas.py
index cbad25c..02f948d 100644
--- a/app/users/schemas.py
+++ b/app/users/schemas.py
@@ -6,6 +6,7 @@ from typing import Literal
 
 PrivacyLevel = Literal["everyone", "contacts", "nobody"]
 GroupInvitePrivacyLevel = Literal["everyone", "contacts"]
+PrivateMessagesPrivacyLevel = Literal["everyone", "contacts", "nobody"]
 
 
 class UserBase(BaseModel):
@@ -26,6 +27,7 @@ class UserRead(UserBase):
     bio: str | None = None
     email_verified: bool
     allow_private_messages: bool
+    privacy_private_messages: PrivateMessagesPrivacyLevel = "everyone"
     privacy_last_seen: PrivacyLevel = "everyone"
     privacy_avatar: PrivacyLevel = "everyone"
     privacy_group_invites: GroupInvitePrivacyLevel = "everyone"
@@ -40,6 +42,7 @@ class UserProfileUpdate(BaseModel):
     bio: str | None = Field(default=None, max_length=500)
     avatar_url: str | None = Field(default=None, max_length=512)
     allow_private_messages: bool | None = None
+    privacy_private_messages: PrivateMessagesPrivacyLevel | None = None
     privacy_last_seen: PrivacyLevel | None = None
     privacy_avatar: PrivacyLevel | None = None
     privacy_group_invites: GroupInvitePrivacyLevel | None = None
diff --git a/app/users/service.py b/app/users/service.py
index 3bd7520..25c6ee9 100644
--- a/app/users/service.py
+++ b/app/users/service.py
@@ -42,6 +42,7 @@ async def update_user_profile(
     bio: str | None = None,
     avatar_url: str | None = None,
     allow_private_messages: bool | None = None,
+    privacy_private_messages: str | None = None,
     privacy_last_seen: str | None = None,
     privacy_avatar: str | None = None,
     privacy_group_invites: str | None = None,
@@ -56,6 +57,11 @@ async def update_user_profile(
         user.avatar_url = avatar_url
     if allow_private_messages is not None:
         user.allow_private_messages = allow_private_messages
+        if privacy_private_messages is None:
+            user.privacy_private_messages = "everyone" if allow_private_messages else "nobody"
+    if privacy_private_messages is not None:
+        user.privacy_private_messages = privacy_private_messages
+        user.allow_private_messages = privacy_private_messages != "nobody"
     if privacy_last_seen is not None:
         user.privacy_last_seen = privacy_last_seen
     if privacy_avatar is not None:
@@ -127,12 +133,25 @@ async def can_invite_user_to_groups(db: AsyncSession, *, target_user: User, acto
     return await repository.is_user_in_contacts(db, owner_user_id=target_user.id, candidate_user_id=actor_user_id)
 
 
+async def can_user_receive_private_messages(db: AsyncSession, *, target_user: User, actor_user_id: int) -> bool:
+    if target_user.id == actor_user_id:
+        return True
+    policy = target_user.privacy_private_messages or ("everyone" if target_user.allow_private_messages else "nobody")
+    if policy == "everyone":
+        return True
+    if policy == "nobody":
+        return False
+    return await repository.is_user_in_contacts(db, owner_user_id=target_user.id, candidate_user_id=actor_user_id)
+
+
 async def serialize_user_for_viewer(db: AsyncSession, *, target_user: User, viewer_user_id: int) -> UserRead:
     payload = UserRead.model_validate(target_user).model_dump()
+    payload["allow_private_messages"] = bool(target_user.privacy_private_messages != "nobody")
     if not await can_view_user_avatar(db, target_user=target_user, viewer_user_id=viewer_user_id):
         payload["avatar_url"] = None
     if target_user.id != viewer_user_id:
         payload["allow_private_messages"] = True
+        payload["privacy_private_messages"] = "everyone"
         payload["privacy_last_seen"] = "everyone"
         payload["privacy_avatar"] = "everyone"
         payload["privacy_group_invites"] = "everyone"
diff --git a/docs/api-reference.md b/docs/api-reference.md
index 3b9a037..fd3de02 100644
--- a/docs/api-reference.md
+++ b/docs/api-reference.md
@@ -109,6 +109,19 @@ For `/health/ready` failure:
 }
 ```
 
+### SessionRead
+
+```json
+{
+  "jti": "uuid",
+  "created_at": "2026-03-08T10:00:00Z",
+  "ip_address": "127.0.0.1",
+  "user_agent": "Mozilla/5.0 ...",
+  "current": false,
+  "token_type": "refresh"
+}
+```
+
 ### AuthUserResponse
 
 ```json
@@ -121,6 +134,11 @@ For `/health/ready` failure:
   "avatar_url": "https://...",
   "email_verified": true,
   "twofa_enabled": false,
+  "allow_private_messages": true,
+  "privacy_private_messages": "everyone",
+  "privacy_last_seen": "everyone",
+  "privacy_avatar": "everyone",
+  "privacy_group_invites": "everyone",
   "created_at": "2026-03-08T10:00:00Z",
   "updated_at": "2026-03-08T10:00:00Z"
 }
@@ -140,6 +158,10 @@ For `/health/ready` failure:
   "bio": "optional",
   "email_verified": true,
   "allow_private_messages": true,
+  "privacy_private_messages": "everyone",
+  "privacy_last_seen": "everyone",
+  "privacy_avatar": "everyone",
+  "privacy_group_invites": "everyone",
   "twofa_enabled": false,
   "created_at": "2026-03-08T10:00:00Z",
   "updated_at": "2026-03-08T10:00:00Z"
@@ -166,11 +188,16 @@ For `/health/ready` failure:
   "username": "new_username",
   "bio": "new bio",
   "avatar_url": "https://...",
-  "allow_private_messages": true
+  "allow_private_messages": true,
+  "privacy_private_messages": "contacts",
+  "privacy_last_seen": "contacts",
+  "privacy_avatar": "everyone",
+  "privacy_group_invites": "contacts"
 }
 ```
 
 All fields are optional.
+`privacy_private_messages`: `everyone | contacts | nobody`.
 
 ## 3.3 Chats
 
@@ -500,7 +527,8 @@ Response: `200` + `AuthUserResponse`
 ### GET `/api/v1/auth/sessions`
 
 Auth required.  
-Response: `200` + `SessionRead[]`
+Response: `200` + `SessionRead[]`  
+Note: list includes refresh sessions and a synthetic current access-token session (`token_type=access`) for stable UI visibility.
 
 ### DELETE `/api/v1/auth/sessions/{jti}`
 
diff --git a/docs/core-checklist-status.md b/docs/core-checklist-status.md
index 18893b4..910e466 100644
--- a/docs/core-checklist-status.md
+++ b/docs/core-checklist-status.md
@@ -37,8 +37,8 @@ Legend:
 28. Notifications - `PARTIAL` (browser notifications + mute/settings; no mobile push infra)
 29. Archive - `DONE`
 30. Blacklist - `DONE`
-31. Privacy - `PARTIAL` (PM permission + block; full matrix controls still limited)
-32. Security - `PARTIAL` (sessions + revoke + 2FA base; revoke-all now invalidates active access tokens, UX/TOTP flow ongoing)
+31. Privacy - `PARTIAL` (avatar/last-seen/group-invites + PM policy `everyone|contacts|nobody`; remaining edge UX/matrix hardening)
+32. Security - `PARTIAL` (sessions + revoke + 2FA base + access-session visibility; UX/TOTP recovery flow ongoing)
 33. Realtime Events - `DONE` (connect/disconnect/send/receive/typing/read/delivered/online/offline + chat/message updates)
 34. Sync - `PARTIAL` (cross-device via backend state + realtime; reconciliation improved for loaded chats/messages)
 35. Additional - `PARTIAL` (drafts/link preview partial/autoload media basic)
diff --git a/tests/test_auth_flow.py b/tests/test_auth_flow.py
index f69ecf1..83811ff 100644
--- a/tests/test_auth_flow.py
+++ b/tests/test_auth_flow.py
@@ -43,6 +43,15 @@ async def test_register_verify_login_and_me(client, db_session):
     assert me_data["email"] == "alice@example.com"
     assert me_data["email_verified"] is True
 
+    sessions_response = await client.get(
+        "/api/v1/auth/sessions",
+        headers={"Authorization": f"Bearer {token_data['access_token']}"},
+    )
+    assert sessions_response.status_code == 200
+    sessions = sessions_response.json()
+    assert len(sessions) >= 1
+    assert any(item.get("token_type") == "access" for item in sessions)
+
 
 async def test_refresh_token_rotation(client, db_session):
     payload = {
diff --git a/tests/test_chat_message_flow.py b/tests/test_chat_message_flow.py
index dc54786..05c4cc5 100644
--- a/tests/test_chat_message_flow.py
+++ b/tests/test_chat_message_flow.py
@@ -59,3 +59,40 @@ async def test_private_chat_message_lifecycle(client, db_session):
         headers={"Authorization": f"Bearer {u1['access_token']}"},
     )
     assert delete_message_response.status_code == 204
+
+
+async def test_private_chat_respects_contacts_only_policy(client, db_session):
+    u1 = await _create_verified_user(client, db_session, "pm_u1@example.com", "pm_user_one", "strongpass123")
+    u2 = await _create_verified_user(client, db_session, "pm_u2@example.com", "pm_user_two", "strongpass123")
+
+    me_u1 = await client.get("/api/v1/auth/me", headers={"Authorization": f"Bearer {u1['access_token']}"})
+    me_u2 = await client.get("/api/v1/auth/me", headers={"Authorization": f"Bearer {u2['access_token']}"})
+    u1_id = me_u1.json()["id"]
+    u2_id = me_u2.json()["id"]
+
+    update_privacy = await client.put(
+        "/api/v1/users/profile",
+        headers={"Authorization": f"Bearer {u2['access_token']}"},
+        json={"privacy_private_messages": "contacts"},
+    )
+    assert update_privacy.status_code == 200
+
+    create_chat_blocked = await client.post(
+        "/api/v1/chats",
+        headers={"Authorization": f"Bearer {u1['access_token']}"},
+        json={"type": ChatType.PRIVATE.value, "title": None, "member_ids": [u2_id]},
+    )
+    assert create_chat_blocked.status_code == 403
+
+    add_contact = await client.post(
+        f"/api/v1/users/{u1_id}/contacts",
+        headers={"Authorization": f"Bearer {u2['access_token']}"},
+    )
+    assert add_contact.status_code == 204
+
+    create_chat_allowed = await client.post(
+        "/api/v1/chats",
+        headers={"Authorization": f"Bearer {u1['access_token']}"},
+        json={"type": ChatType.PRIVATE.value, "title": None, "member_ids": [u2_id]},
+    )
+    assert create_chat_allowed.status_code == 200
diff --git a/web/src/api/users.ts b/web/src/api/users.ts
index cdda4d6..204a43b 100644
--- a/web/src/api/users.ts
+++ b/web/src/api/users.ts
@@ -14,6 +14,7 @@ interface UserProfileUpdatePayload {
   bio?: string | null;
   avatar_url?: string | null;
   allow_private_messages?: boolean;
+  privacy_private_messages?: "everyone" | "contacts" | "nobody";
   privacy_last_seen?: "everyone" | "contacts" | "nobody";
   privacy_avatar?: "everyone" | "contacts" | "nobody";
   privacy_group_invites?: "everyone" | "contacts";
diff --git a/web/src/chat/types.ts b/web/src/chat/types.ts
index eaf6a53..f467b2c 100644
--- a/web/src/chat/types.ts
+++ b/web/src/chat/types.ts
@@ -83,6 +83,7 @@ export interface AuthUser {
   email_verified: boolean;
   twofa_enabled?: boolean;
   allow_private_messages: boolean;
+  privacy_private_messages?: "everyone" | "contacts" | "nobody";
   privacy_last_seen?: "everyone" | "contacts" | "nobody";
   privacy_avatar?: "everyone" | "contacts" | "nobody";
   privacy_group_invites?: "everyone" | "contacts";
@@ -101,6 +102,8 @@ export interface AuthSession {
   created_at: string;
   ip_address?: string | null;
   user_agent?: string | null;
+  current?: boolean;
+  token_type?: "access" | "refresh";
 }
 
 export interface UserSearchItem {
diff --git a/web/src/components/SettingsPanel.tsx b/web/src/components/SettingsPanel.tsx
index 1591a2f..32d456f 100644
--- a/web/src/components/SettingsPanel.tsx
+++ b/web/src/components/SettingsPanel.tsx
@@ -26,7 +26,7 @@ export function SettingsPanel({ open, onClose }: Props) {
   const [prefs, setPrefs] = useState<AppPreferences>(() => getAppPreferences());
   const [blockedCount, setBlockedCount] = useState(0);
   const [savingPrivacy, setSavingPrivacy] = useState(false);
-  const [allowPrivateMessages, setAllowPrivateMessages] = useState(true);
+  const [privacyPrivateMessages, setPrivacyPrivateMessages] = useState<"everyone" | "contacts" | "nobody">("everyone");
   const [sessions, setSessions] = useState<AuthSession[]>([]);
   const [sessionsLoading, setSessionsLoading] = useState(false);
   const [twofaCode, setTwofaCode] = useState("");
@@ -52,7 +52,7 @@ export function SettingsPanel({ open, onClose }: Props) {
     if (!me) {
       return;
     }
-    setAllowPrivateMessages(me.allow_private_messages);
+    setPrivacyPrivateMessages(me.privacy_private_messages || (me.allow_private_messages ? "everyone" : "nobody"));
     setPrivacyLastSeen(me.privacy_last_seen || "everyone");
     setPrivacyAvatar(me.privacy_avatar || "everyone");
     setPrivacyGroupInvites(me.privacy_group_invites || "everyone");
@@ -314,7 +314,13 @@ export function SettingsPanel({ open, onClose }: Props) {
                 />
                 <SettingsRow
                   label="Privacy and Security"
-                  value={allowPrivateMessages ? "Everybody can message" : "Messages disabled"}
+                  value={
+                    privacyPrivateMessages === "everyone"
+                      ? "Everybody can message"
+                      : privacyPrivateMessages === "contacts"
+                        ? "Only contacts can message"
+                        : "Messages disabled"
+                  }
                   onClick={() => setPage("privacy")}
                 />
               </section>
@@ -417,6 +423,18 @@ export function SettingsPanel({ open, onClose }: Props) {
               <section className="rounded border border-slate-700/70 bg-slate-800/50 p-3">
                 <p className="mb-2 text-xs uppercase tracking-wide text-slate-400">Privacy</p>
                 <SettingsTextRow label="Blocked Users" value={String(blockedCount)} />
+                <div className="mb-2 rounded bg-slate-900/50 px-2 py-2">
+                  <p className="mb-1 text-xs text-slate-300">Who can send me private messages?</p>
+                  <select
+                    className="w-full rounded bg-slate-800 px-2 py-1 text-xs"
+                    value={privacyPrivateMessages}
+                    onChange={(e) => setPrivacyPrivateMessages(e.target.value as "everyone" | "contacts" | "nobody")}
+                  >
+                    <option value="everyone">Everybody</option>
+                    <option value="contacts">My contacts</option>
+                    <option value="nobody">Nobody</option>
+                  </select>
+                </div>
                 <div className="mb-2 rounded bg-slate-900/50 px-2 py-2">
                   <p className="mb-1 text-xs text-slate-300">Who can see my profile photo?</p>
                   <select
@@ -458,7 +476,8 @@ export function SettingsPanel({ open, onClose }: Props) {
                     setSavingPrivacy(true);
                     try {
                       const updated = await updateMyProfile({
-                        allow_private_messages: allowPrivateMessages,
+                        allow_private_messages: privacyPrivateMessages !== "nobody",
+                        privacy_private_messages: privacyPrivateMessages,
                         privacy_last_seen: privacyLastSeen,
                         privacy_avatar: privacyAvatar,
                         privacy_group_invites: privacyGroupInvites,
@@ -586,19 +605,27 @@ export function SettingsPanel({ open, onClose }: Props) {
                 <div className="space-y-2">
                   {sessions.map((session) => (
                     <div className="rounded bg-slate-900/50 px-2 py-2" key={session.jti}>
-                      <p className="truncate text-xs text-slate-300">{session.user_agent || "Unknown device"}</p>
+                      <p className="truncate text-xs text-slate-300">
+                        {session.user_agent || "Unknown device"}
+                        {session.current ? " (current)" : ""}
+                      </p>
+                      <p className="truncate text-[11px] text-slate-500">Token: {session.token_type || "refresh"}</p>
                       <p className="truncate text-[11px] text-slate-400">{session.ip_address || "Unknown IP"}</p>
                       <p className="text-[11px] text-slate-500">{new Date(session.created_at).toLocaleString()}</p>
-                      <button
-                        className="mt-1 rounded bg-slate-700 px-2 py-1 text-[11px]"
-                        onClick={async () => {
-                          await revokeSession(session.jti);
-                          setSessions((prev) => prev.filter((item) => item.jti !== session.jti));
-                        }}
-                        type="button"
-                      >
-                        Revoke
-                      </button>
+                      {session.token_type === "refresh" ? (
+                        <button
+                          className="mt-1 rounded bg-slate-700 px-2 py-1 text-[11px]"
+                          onClick={async () => {
+                            await revokeSession(session.jti);
+                            setSessions((prev) => prev.filter((item) => item.jti !== session.jti));
+                          }}
+                          type="button"
+                        >
+                          Revoke
+                        </button>
+                      ) : (
+                        <p className="mt-1 text-[11px] text-slate-500">Use Revoke all to invalidate active access token.</p>
+                      )}
                     </div>
                   ))}
                 </div>