Skip to main content

POST /api/v2/logout

Log out the current user and invalidate their access token.

Headers

Authorization
string
required
Bearer token or JWT token from login response
Content-Type
string
required
application/json

Authentication

This endpoint requires authentication. The user’s JWT token must be provided in the Authorization header.

Response

message
string
“Successfully Logged Out.”

How It Works

  1. Token is extracted from Authorization header
  2. Token is marked as blocked in user_token_logs table
  3. Token is added to Redis blacklist for fast validation
  4. Blacklist entry expires after configured time (REDIS_BLACKLIST_OBJECT_EXPIRY_IN_SEC)

Code Examples

curl -X POST https://api.thesouledstore.com/api/v2/logout \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." \
  -H "Content-Type: application/json"

Error Responses

401 Unauthorized 
{
  "title": "Unauthorized"
}
Returned when:
  • No Authorization header is provided
  • Token is invalid or expired
  • Token is already blacklisted

POST /api/v2/logout-all-device

Log out user from all devices by invalidating all active tokens.

Headers

Authorization
string
required
Bearer token from login
Content-Type
string
required
application/json

Authentication

Requires valid JWT token in Authorization header.

Response

message
string
“Successfully Logged Out From All Device.”

How It Works

  1. Retrieves all active (non-blocked) tokens for the user
  2. Adds all tokens to Redis blacklist
  3. Marks all tokens as blocked in user_token_logs table
  4. User must re-authenticate on all devices

Code Examples

curl -X POST https://api.thesouledstore.com/api/v2/logout-all-device \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." \
  -H "Content-Type: application/json"

Use Cases

  • User suspects unauthorized access
  • Password was changed
  • Security policy requires re-authentication
  • User wants to revoke all active sessions

POST /api/v2/lgt-all

Internal endpoint to log out a user from all devices (Laravel integration). Access: Internal use only - requires APP_ID and APP_KEY authentication.

Headers

Content-Type
string
required
application/json

Request Body

user_id
integer
required
User ID to log out
app_id
string
required
Application ID (validated against settings)
app_key
string
required
Application secret key (validated against settings)

Response

message
string
“Successfully Logged Out From All Device.”

Error Responses

401 Unauthorized (Missing User ID) 
{
  "title": "Kindly Provide User ID"
}
401 Unauthorized (Missing Credentials) 
{
  "title": "Kindly Provide APP ID and APP KEY"
}
401 Unauthorized (Invalid Credentials) 
{
  "title": "Kindly Provide Valid APP ID and APP KEY"
}

Code Examples

curl -X POST https://api.thesouledstore.com/api/v2/lgt-all \
  -H "Content-Type: application/json" \
  -d '{
    "user_id": 12345,
    "app_id": "your-app-id",
    "app_key": "your-app-secret-key"
  }'

Security Notes

  • This endpoint is for internal service-to-service communication
  • APP_ID and APP_KEY are validated against server configuration
  • Should not be exposed to public/client applications
  • Logs out user from ALL devices without exception

Token Blacklisting

All logout endpoints use a dual-layer approach:
  1. Database Layer: Tokens marked as blocked in user_token_logs table
  2. Cache Layer: Tokens added to Redis blacklist for fast validation

Blacklist Expiration

Blacklisted tokens expire from Redis after REDIS_BLACKLIST_OBJECT_EXPIRY_IN_SEC (typically matches JWT expiration time).

Token Validation Flow

# On subsequent requests:
1. Check if token exists in Redis blacklist → Reject if found
2. Decode JWT and validate signature
3. Check if token is blocked in database
4. Allow request if all checks pass

Best Practices

Client-Side

  1. Clear local storage: Remove token from localStorage/sessionStorage after logout
  2. Clear cookies: Remove any authentication cookies
  3. Redirect: Send user to login page after successful logout
  4. Handle errors: Display error if logout fails

Example Client Implementation

async function logout() {
  const token = localStorage.getItem('access_token');
  
  try {
    const response = await fetch(
      'https://api.thesouledstore.com/api/v2/logout',
      {
        method: 'POST',
        headers: {
          'Authorization': `Bearer ${token}`,
          'Content-Type': 'application/json'
        }
      }
    );
    
    if (response.ok) {
      // Clear local data
      localStorage.removeItem('access_token');
      localStorage.removeItem('user_data');
      
      // Redirect to login
      window.location.href = '/login';
    }
  } catch (error) {
    console.error('Logout failed:', error);
  }
}

Server-Side

  1. Always validate tokens: Check blacklist before processing requests
  2. Set appropriate TTL: Match blacklist expiry to token expiry
  3. Monitor failed attempts: Log repeated logout failures
  4. Clean up old data: Periodically remove expired token logs

Build docs developers (and LLMs) love

Get started for freeTalk to us