Logout

Logout from current session and invalidate access token.

Quick Navigation

• Endpoint
• Headers
• Response
• Success (204)
• Error Codes
• Data Flow
• Features
• Important Notes
• Example
• Related Endpoints

Endpoint

POST /api/v1/auth/logout

Headers

Header	Required	Description
Authorization	Yes	Bearer <access_token>

Response

Success (204)

No content returned.

Error Codes

Status	Code	Description
400	LOGOUT_FAILED	Logout failed
401	UNAUTHORIZED	Invalid or missing token
422	VALIDATION_ERROR	Request validation failed

Data Flow

1. Authentication

   • Verify access token
   • Extract user ID and token ID

2. Token Revocation

   • Add refresh token to revocation list (Redis)
   • Set revocation expiry

3. Session Management

   • Note: JWT access tokens are stateless
   • Access tokens cannot be revoked server-side
   • Tokens will expire naturally based on expiry time

4. Audit Logging

   • Log logout event
   • Record IP address and timestamp

5. Response

   • Return 204 No Content

Features

• Invalidates current refresh token
• Logs logout event for audit
• Returns 204 No Content
• Note: JWT access tokens are stateless and cannot be revoked server-side

Important Notes

JWT access tokens are stateless and cannot be immediately revoked server-side. They will naturally expire based on their expiration time (typically 1 hour). For immediate revocation, use Logout All which revokes all refresh tokens.

Example

curl -X POST https://api.rivergen.com/api/v1/auth/logout \
  -H "Authorization: Bearer <access_token>"

Related Endpoints

• Logout All - Logout from all sessions
• List Sessions - View active sessions