Console APIs - Authentication
User Logout
Logout users and invalidate their refresh tokens
POST
User Logout
Logout users and invalidate their refresh tokens to ensure secure session termination.Authentication
This endpoint does not require authentication as it’s used to terminate the user session.Request Body
The refresh token to invalidate during logout.
Response Fields
Human-readable message describing the result of the operation.
Operation status. Always “success” for successful logout.
Error Responses
400 Bad Request
400 Bad Request
- Missing refresh token
- Invalid request format
401 Unauthorized
401 Unauthorized
429 Too Many Requests
429 Too Many Requests
Usage Examples
Complete Logout Implementation
Client-Side Logout
Client-Side Logout
Server-Side Logout
Server-Side Logout
Rate Limits
- Rate Limit: 10 requests per minute per user
- Burst Limit: 20 requests per 5-minute window
Security Considerations
Token Invalidation
Token Invalidation
- Refresh tokens are immediately invalidated on the server
- Access tokens become invalid when they expire (no immediate invalidation)
- Implement client-side token cleanup for immediate effect
Session Security
Session Security
- Clear all client-side stored tokens and session data
- Implement proper session cleanup on the server side
- Redirect users to login page after logout
Error Handling
Error Handling
- Always clear client-side tokens even if server logout fails
- Implement graceful degradation for network failures
- Log logout events for security monitoring
Best Practices
Integration with Authentication Flow
Login/Logout Cycle
Login/Logout Cycle
- Login: User authenticates and receives access/refresh tokens
- API Usage: Access token used for authenticated requests
- Token Refresh: Refresh token used to get new access tokens
- Logout: Refresh token invalidated, user session terminated
Automatic Logout
Automatic Logout