Cookie Logout

POST

/api/auth/logout

const url = 'https://example.com/api/auth/logout';
const options = {method: 'POST'};

try {
  const response = await fetch(url, options);
  const data = await response.json();
  console.log(data);
} catch (error) {
  console.error(error);
}

curl --request POST \
  --url https://example.com/api/auth/logout

Logout by revoking the refresh cookie AND the access token JTI.

Clears the httpOnly cookie. If the refresh token is valid, revokes it. If an Authorization header is present, also revokes the access token’s JTI so non-deal sessions (password/magic-link login) are fully invalidated.

Cookie: __Secure-canvas_refresh= Header (optional): Authorization: Bearer <access_token> Returns: {“logged_out”: true}

Set-Cookie: __Secure-canvas_refresh=; Max-Age=0

Responses

200

Successful Response

application/json

CookieLogoutResponse

Response from POST /auth/logout (cookie-based).

object

logged_out

required

Logged Out

boolean

Example ^generated

{
  "logged_out": true
}

Cookie Logout

Responses

200

Example generated

Example ^generated