Skip to main content
POST
/
auth
/
logout
curl -X POST 'https://api.weir.ai/auth/logout' \
  -H 'Content-Type: application/json' \
  -d '{
    "refreshToken": "refresh_token_123456789"
  }'

{
  "message": "Logout successful",
  "status": "success"
}

User Logout

Logout users and invalidate their refresh tokens to ensure secure session termination. 
curl -X POST 'https://api.weir.ai/auth/logout' \
  -H 'Content-Type: application/json' \
  -d '{
    "refreshToken": "refresh_token_123456789"
  }'

{
  "message": "Logout successful",
  "status": "success"
}

Authentication

This endpoint does not require authentication as it’s used to terminate the user session.

Request Body

refreshToken
string
required
The refresh token to invalidate during logout.

Response Fields

message
string
required
Human-readable message describing the result of the operation.
status
string
required
Operation status. Always “success” for successful logout.

Error Responses

{
  "error": {
    "code": "VALIDATION_ERROR",
    "message": "Invalid request parameters",
    "details": {
      "refreshToken": "Refresh token is required"
    }
  },
  "status": "error"
}
Causes:
  • Missing refresh token
  • Invalid request format
{
  "error": {
    "code": "INVALID_REFRESH_TOKEN",
    "message": "Invalid refresh token",
    "details": "The provided refresh token is invalid or already expired"
  },
  "status": "error"
}
Causes:
  • Invalid refresh token
  • Already expired refresh token
  • Token already invalidated
{
  "error": {
    "code": "RATE_LIMIT_EXCEEDED",
    "message": "Too many logout requests",
    "details": "Rate limit of 10 logout requests per minute exceeded"
  },
  "status": "error"
}
Solution: Wait for the rate limit window to reset before making another logout request.

Usage Examples

const logout = async (refreshToken) => {
  try {
    const response = await fetch('https://api.weir.ai/auth/logout', {
      method: 'POST',
      headers: {
        'Content-Type': 'application/json'
      },
      body: JSON.stringify({ refreshToken })
    });
    
    if (!response.ok) {
      throw new Error(`HTTP error! status: ${response.status}`);
    }
    
    const data = await response.json();
    
    // Clear stored tokens
    localStorage.removeItem('accessToken');
    localStorage.removeItem('refreshToken');
    localStorage.removeItem('tokenExpiresAt');
    
    return data;
  } catch (error) {
    console.error('Logout error:', error);
    // Still clear local tokens even if server request fails
    localStorage.clear();
    throw error;
  }
};

// Usage
await logout('refresh_token_123456789');
console.log('User logged out successfully');

Complete Logout Implementation

class AuthManager {
  constructor() {
    this.accessToken = localStorage.getItem('accessToken');
    this.refreshToken = localStorage.getItem('refreshToken');
  }
  
  async logout() {
    try {
      // Call logout endpoint to invalidate server-side tokens
      if (this.refreshToken) {
        await fetch('https://api.weir.ai/auth/logout', {
          method: 'POST',
          headers: { 'Content-Type': 'application/json' },
          body: JSON.stringify({ refreshToken: this.refreshToken })
        });
      }
    } catch (error) {
      console.warn('Server logout failed:', error);
      // Continue with client-side cleanup
    } finally {
      // Always clear client-side tokens
      this.clearTokens();
      this.redirectToLogin();
    }
  }
  
  clearTokens() {
    localStorage.removeItem('accessToken');
    localStorage.removeItem('refreshToken');
    localStorage.removeItem('tokenExpiresAt');
    this.accessToken = null;
    this.refreshToken = null;
  }
  
  redirectToLogin() {
    window.location.href = '/login';
  }
}

// Express.js example
app.post('/logout', async (req, res) => {
  try {
    const { refreshToken } = req.body;
    
    // Call Weir AI logout endpoint
    await fetch('https://api.weir.ai/auth/logout', {
      method: 'POST',
      headers: { 'Content-Type': 'application/json' },
      body: JSON.stringify({ refreshToken })
    });
    
    // Clear server-side session
    req.session.destroy();
    
    res.json({ message: 'Logout successful', status: 'success' });
  } catch (error) {
    console.error('Logout error:', error);
    res.status(500).json({ error: 'Logout failed' });
  }
});

Rate Limits

  • Rate Limit: 10 requests per minute per user
  • Burst Limit: 20 requests per 5-minute window

Security Considerations

  • Refresh tokens are immediately invalidated on the server
  • Access tokens become invalid when they expire (no immediate invalidation)
  • Implement client-side token cleanup for immediate effect
  • Clear all client-side stored tokens and session data
  • Implement proper session cleanup on the server side
  • Redirect users to login page after logout
  • Always clear client-side tokens even if server logout fails
  • Implement graceful degradation for network failures
  • Log logout events for security monitoring

Best Practices

Server-Side Invalidation

Call the logout endpoint to invalidate refresh tokens on the server.

Client-Side Cleanup

Clear all stored tokens and session data from the client.

Session Termination

Terminate any active sessions and redirect to login page.

Error Handling

Implement proper error handling to ensure cleanup happens even if server request fails.

Integration with Authentication Flow

  1. Login: User authenticates and receives access/refresh tokens
  2. API Usage: Access token used for authenticated requests
  3. Token Refresh: Refresh token used to get new access tokens
  4. Logout: Refresh token invalidated, user session terminated
// Auto-logout on token expiration
function setupAutoLogout() {
  const tokenExpiresAt = localStorage.getItem('tokenExpiresAt');
  if (tokenExpiresAt) {
    const timeUntilExpiry = tokenExpiresAt - Date.now();
    if (timeUntilExpiry > 0) {
      setTimeout(() => {
        authManager.logout();
      }, timeUntilExpiry);
    }
  }
}
Pro Tip: Implement a comprehensive logout flow that handles both server-side token invalidation and client-side cleanup to ensure complete session termination.