Description
Logs out the current user by clearing the JWT token cookie and adding the token to a blacklist to prevent reuse. This endpoint can be called even without an active session.
Request
No request body or query parameters required. The JWT token is read from the token cookie automatically.
Response
Success message indicating the user logged out successfully
Success Response (200)
{
"message": "User logged out successfully"
}
- Clears the
token cookie from the client
- Adds the token to a blacklist database to prevent reuse
- Returns a success message
This endpoint returns a 200 status even if no token cookie is present, making it safe to call in any state.
Example Request
curl -X GET https://api.example.com/api/auth/logout \
-b cookies.txt \
-c cookies.txt
Implementation Details
- No authentication middleware required (public endpoint)
- The token cookie is automatically cleared by the server
- If a token exists, it’s added to a blacklist collection in the database
- Blacklisted tokens cannot be used for authentication, even if they haven’t expired
- Safe to call multiple times or without an active session
- Returns success (200) regardless of whether a token was present
Security Considerations
After logout, the JWT token is blacklisted. Even if an attacker obtains the old token, it cannot be used to authenticate requests.
The blacklist mechanism ensures that tokens cannot be reused after logout, providing an additional layer of security beyond simple cookie deletion.