Skip to main content
POST
/
auth
/
logout
curl -X POST "https://api.chronos.app/auth/logout" \
  -H "Accept: application/json" \
  -b "__Host-session=eyJhbG...; __Host-refresh=eyJhbG..."

{
  "message": "Logged out"
}

Request

No request body or parameters required. Simply call this endpoint to clear the session.

Response

message
string
required
Confirmation message indicating successful logout
curl -X POST "https://api.chronos.app/auth/logout" \
  -H "Accept: application/json" \
  -b "__Host-session=eyJhbG...; __Host-refresh=eyJhbG..."

{
  "message": "Logged out"
}

Cookies Cleared

This endpoint deletes the following cookies:
session_token
cookie
Session cookie (name from SESSION_COOKIE_NAME config) is cleared by setting its value to empty and max-age to 0
refresh_token
cookie
Refresh token cookie (name from REFRESH_COOKIE_NAME config) is cleared by setting its value to empty and max-age to 0
csrf_token
cookie
CSRF token cookie (name from CSRF_COOKIE_NAME config) is cleared

Error Codes

429
error
Rate Limit Exceeded - Too many logout requests from this IP address

Rate Limits

This endpoint is rate-limited according to the RATE_LIMIT_AUTH configuration. The rate limiter uses the client’s IP address as the key.

Implementation Details

The endpoint clears cookies by:
  1. Setting cookie value to empty string
  2. Setting max-age=0 to immediately expire the cookie
  3. Maintaining the same cookie attributes (domain, path, secure, samesite) to ensure proper deletion

Server-Side Behavior

Important: This endpoint does NOT revoke tokens on the Supabase server. It only clears client-side cookies. The tokens remain valid until they naturally expire.If you need to invalidate tokens server-side (e.g., for security incidents), you should:
  1. Call this logout endpoint to clear client cookies
  2. Separately revoke the tokens in your Supabase dashboard or via admin API

Security Notes

  • Always returns 200 status, even if no session exists (prevents information leakage)
  • Cookies are cleared using the same security attributes they were set with
  • Client-side cleanup doesn’t require authentication (stateless operation)
  • Safe to call multiple times (idempotent)

Usage Pattern

async function logout() {
  try {
    const response = await fetch('/auth/logout', {
      method: 'POST',
      credentials: 'include'
    });
    
    if (response.ok) {
      // Clear any client-side state
      localStorage.removeItem('user');
      
      // Redirect to login page
      window.location.href = '/login';
    }
  } catch (error) {
    console.error('Logout error:', error);
    // Even on error, redirect to login for safety
    window.location.href = '/login';
  }
}

Client-Side Cleanup

After calling logout, ensure you also clean up client-side state:
1

Clear Local Storage

Remove any cached user data, preferences, or tokens stored in localStorage
localStorage.clear();
// or selectively:
localStorage.removeItem('user');
localStorage.removeItem('preferences');
2

Clear Session Storage

Remove any temporary session data
sessionStorage.clear();
3

Reset Application State

If using a state management library (Redux, Zustand, etc.), reset to initial state
// Redux example
store.dispatch({ type: 'RESET' });
4

Redirect to Login

Navigate the user to the login page
window.location.href = '/login';
Best Practice: Even if the logout request fails due to network issues, perform client-side cleanup and redirect to the login page. The worst case is that old cookies remain, but the user won’t have access to sensitive client-side data.
Source: backend/app/routers/auth.py:265-272

Build docs developers (and LLMs) love

Get started for freeTalk to us