Logout
Revoke all client tokens and end the session
Logout
Revoke all tokens for the authenticated client and end the session.
Endpoint
POST /auth/logoutAuthentication: Bearer token required
Headers
Authorization: Bearer {access_token}Request Body
No request body required - the endpoint uses the authenticated client context from the Bearer token.
Response
Success (200 OK)
{
"message": "Successfully logged out"
}Error Responses
401 Unauthorized
{
"error": "unauthorized",
"message": "Authentication required"
}Examples
curl -X POST {{host}}/auth/logout \
-H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."<?php
$ch = curl_init('{{host}}/auth/logout');
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, [
'Authorization: Bearer ' . $access_token
]);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
if ($httpCode === 200) {
echo "Successfully logged out";
// Clear stored tokens
unset($_SESSION['access_token']);
unset($_SESSION['refresh_token']);
}
curl_close($ch);
?>Security Considerations
- Always Clear Client-Side: Remove tokens from local storage even if the API call fails
- Server-Side Cleanup: The server revokes all tokens associated with the client
- Graceful Degradation: Handle network failures during logout gracefully
- Redirect After Logout: Always redirect users to a public page after logout
- Session Cleanup: Clear any other session-related data (user preferences, cached data, etc.)
Best Practices
- Immediate Token Removal: Clear tokens immediately when logout is initiated
- Error Handling: Don't prevent logout if the API call fails
- User Feedback: Show confirmation that logout was successful
- Global Logout: Consider implementing logout across all browser tabs
- Auto-Logout: Implement automatic logout on token expiration