Logout
Logout from current session and invalidate access token.
Endpoint
POST /api/v1/auth/logout
Headers
| Header | Required | Description |
|---|---|---|
Authorization | Yes | Bearer <access_token> |
Response
Success (204)
No content returned.
Error Codes
| Status | Code | Description |
|---|---|---|
| 400 | LOGOUT_FAILED | Logout failed |
| 401 | UNAUTHORIZED | Invalid or missing token |
| 422 | VALIDATION_ERROR | Request validation failed |
Data Flow
-
Authentication
- Verify access token
- Extract user ID and token ID
-
Token Revocation
- Add refresh token to revocation list (Redis)
- Set revocation expiry
-
Session Management
- Note: JWT access tokens are stateless
- Access tokens cannot be revoked server-side
- Tokens will expire naturally based on expiry time
-
Audit Logging
- Log logout event
- Record IP address and timestamp
-
Response
- Return 204 No Content
Features
- Invalidates current refresh token
- Logs logout event for audit
- Returns 204 No Content
- Note: JWT access tokens are stateless and cannot be revoked server-side
Important Notes
JWT access tokens are stateless and cannot be immediately revoked server-side. They will naturally expire based on their expiration time (typically 1 hour). For immediate revocation, use Logout All which revokes all refresh tokens.
Example
curl -X POST https://api.rivergen.com/api/v1/auth/logout \
-H "Authorization: Bearer <access_token>"
Related Endpoints
- Logout All - Logout from all sessions
- List Sessions - View active sessions