Logout

Logout User

curl -X POST https://api.sociapp.com/auth/logout \
  -H "Content-Type: application/json" \
  --cookie "refresh_token=YOUR_REFRESH_TOKEN"

{
  "message": "Logged out successfully"
}

Endpoint

POST /auth/logout

Authentication

No authentication required. This endpoint can be called by any client to clear cookies.

Behavior

When this endpoint is called:

Clears the refresh_token HTTP-only cookie
Sets cookie path to /auth/refresh
Returns success message

The endpoint clears the refresh token cookie with these parameters:

Cookie Name: refresh_token
Path: /auth/refresh
Action: Cookie is removed from client

Client-Side Implementation

After calling logout, the client should:

Clear any stored access tokens from memory/localStorage
Clear user state from application store
Redirect to login page
Remove Authorization headers from future requests

Example Implementation

// Complete logout flow
async function logout() {
  try {
    // Call logout endpoint
    const response = await fetch('/auth/logout', {
      method: 'POST',
      credentials: 'include'
    });
    
    if (response.ok) {
      // Clear client-side tokens
      localStorage.removeItem('access_token');
      sessionStorage.clear();
      
      // Clear application state
      store.dispatch('auth/logout');
      
      // Redirect to login
      router.push('/');
    }
  } catch (error) {
    console.error('Logout failed:', error);
  }
}

Security Notes

HTTP-Only Cookies: Refresh tokens are stored in HTTP-only cookies and cannot be accessed by JavaScript
Path Restriction: Cookie is scoped to /auth/refresh path only
No Server-Side Invalidation: Tokens are not invalidated on the server (stateless JWT design)
Token Expiration: Access tokens naturally expire after 15 minutes

Token Lifecycle After Logout

Token Type	What Happens
Access Token	Client must delete; still valid until expiration (15 min)
Refresh Token	Cookie cleared; cannot be used for refresh

Existing access tokens remain valid until their expiration time. For high-security applications, implement server-side token revocation.

Frontend Integration (Vue.js Example)

// In your auth store (Pinia)
import { defineStore } from 'pinia';

export const useAuthStore = defineStore('auth', {
  actions: {
    async logout() {
      try {
        // Call logout endpoint
        await fetch('/auth/logout', {
          method: 'POST',
          credentials: 'include'
        });
        
        // Clear local state
        this.user = null;
        this.isAuthenticated = false;
        
        // Redirect
        router.push('/');
      } catch (error) {
        console.error('Logout error:', error);
      }
    }
  }
});

Login - Authenticate user
Refresh - Refresh access token
Get Profile - Get current user info

Authentication

Users

Activities

Projects

Configuration

Messaging

Statistics

Logout User

Endpoint

Authentication

Behavior

Client-Side Implementation

Example Implementation

Security Notes

Token Lifecycle After Logout

Frontend Integration (Vue.js Example)

Build docs developers (and LLMs) love

Authentication

Users

Activities

Projects

Configuration

Messaging

Statistics

​Logout User

​Endpoint

​Authentication

​Behavior

​Cookie Clearing

​Client-Side Implementation

​Example Implementation

​Security Notes

​Token Lifecycle After Logout

​Frontend Integration (Vue.js Example)

​Related Endpoints

Build docs developers (and LLMs) love

Logout User

Endpoint

Authentication

Behavior

Cookie Clearing

Client-Side Implementation

Example Implementation

Security Notes

Token Lifecycle After Logout

Frontend Integration (Vue.js Example)

Related Endpoints