Logout All

Logout from all sessions across all devices.

Endpoint

POST /api/v1/auth/logout-all

Headers

Header	Required	Description
`Authorization`	Yes	`Bearer <access_token>`

Response

Success (204)

No content returned.

Error Codes

Status	Code	Description
400	`LOGOUT_FAILED`	Logout failed
401	`UNAUTHORIZED`	Invalid or missing token
422	`VALIDATION_ERROR`	Request validation failed

Data Flow

Authentication
- Verify access token
- Get current user
Refresh Token Revocation
- Revoke all refresh tokens for the user
- Add all tokens to revocation list (Redis)
- Set revocation expiry
Session Invalidation
- Mark all sessions as revoked in database
- Update revoked_at timestamp
- Invalidate session cache
Device Trust Cleanup
- Optionally revoke all trusted devices
- Mark devices as inactive
Audit Logging
- Log logout all event
- Record IP address and timestamp
- Record number of sessions revoked
Response
- Return 204 No Content

Features

Revokes all refresh tokens for the user
Invalidates all sessions server-side
Logs logout event for audit
Returns 204 No Content
Security measure for compromised accounts

Important Notes

JWT access tokens are stateless and cannot be immediately revoked server-side. They will naturally expire based on their expiration time (typically 1 hour). All refresh tokens are immediately revoked, preventing new access tokens from being generated.

Example

curl -X POST https://api.rivergen.com/api/v1/auth/logout-all \
  -H "Authorization: Bearer <access_token>"

Logout - Logout from current session only
List Sessions - View active sessions
Change Password - Often triggers logout-all

Endpoint​

Headers​

Response​

Success (204)​

Error Codes​

Data Flow​

Features​

Important Notes​

Example​

Related Endpoints​