Skip to main content
POST
/
v1
/
auth
/
logout
Logout
curl --request POST \
  --url https://api.example.com/v1/auth/logout \
  --header 'Content-Type: application/json' \
  --data '
{
  "refreshToken": "<string>"
}
'
{
  "ok": true
}
Revokes the user’s refresh token and ends their session. This endpoint invalidates the provided refresh token, preventing it from being used to obtain new access tokens.

Authentication

Requires a valid access token in the Authorization header.

Request Body

refreshToken
string
The refresh token to revoke. If not provided, the endpoint will still return success.Validation: Must be a non-empty string if provided.
Providing the refresh token is optional but recommended to ensure the token is properly revoked on the server side.

Response

ok
boolean
required
Always returns true on successful logout.

Example Request

curl -X POST https://api.rs-tunnel.example.com/v1/auth/logout \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." \
  -H "Content-Type: application/json" \
  -d '{
    "refreshToken": "hashed_refresh_token_string"
  }'

Example Response

200 Success
{
  "ok": true
}
401 Unauthorized
{
  "code": "MISSING_AUTH",
  "message": "Missing bearer access token."
}
400 Invalid Input
{
  "code": "INVALID_INPUT",
  "message": "Invalid logout request payload."
}

Error Codes

CodeHTTP StatusDescription
MISSING_AUTH401Authorization header missing or malformed
INVALID_AUTH401Access token expired or invalid
INVALID_INPUT400Request body validation failed

Implementation Notes

  • The logout endpoint requires authentication to prevent unauthorized token revocation
  • Calling logout with an already-revoked refresh token will still return success
  • After logout, the access token remains valid until it expires (default: 15 minutes)
  • Best practice: Delete both access and refresh tokens from client storage after logout
Always clear both the access token and refresh token from your client storage after calling logout, even if the request fails.

Client-Side Cleanup

After successful logout, ensure you:
  1. Delete the access token from memory/storage
  2. Delete the refresh token from memory/storage
  3. Clear any cached user profile data
  4. Redirect the user to the login page or unauthenticated state

Refresh Token

Obtain a new access token using a refresh token

Token Exchange

Exchange login code for initial tokens

Build docs developers (and LLMs) love

Get started for freeTalk to us