diff --git a/packages/backend-core/src/security/sessions.ts b/packages/backend-core/src/security/sessions.ts
index 39d24ee16a..284adbcd1f 100644
--- a/packages/backend-core/src/security/sessions.ts
+++ b/packages/backend-core/src/security/sessions.ts
@@ -23,6 +23,10 @@ function makeSessionID(userId: string, sessionId: string) {
 }
 
 export async function getSessionsForUser(userId: string) {
+  if (!userId) {
+    console.trace("Cannot get sessions for undefined userId")
+    return []
+  }
   const client = await redis.getSessionClient()
   const sessions = await client.scan(userId)
   return sessions.map((session: Session) => session.value)
diff --git a/packages/backend-core/src/security/tests/sessions.spec.ts b/packages/backend-core/src/security/tests/sessions.spec.ts
new file mode 100644
index 0000000000..7f01bdcdb7
--- /dev/null
+++ b/packages/backend-core/src/security/tests/sessions.spec.ts
@@ -0,0 +1,12 @@
+import * as sessions from "../sessions"
+
+describe("sessions", () => {
+  describe("getSessionsForUser", () => {
+    it("returns empty when user is undefined", async () => {
+      // @ts-ignore - allow the undefined to be passed
+      const results = await sessions.getSessionsForUser(undefined)
+
+      expect(results).toStrictEqual([])
+    })
+  })
+})