POST /api/auth/logout
End the current session and invalidate refresh tokens.
This endpoint logs out the currently authenticated user.
It invalidates the active refresh token and clears the session cookie, preventing further token refresh.
When to use
- When a user explicitly logs out
- When ending a session from the client
Request
HTTP
POST /api/auth/logout
Authorization: Bearer <access_token>A valid access token is required to identify the session.
The refresh token cookie must also be present.
Fetch / Axios
credentials: "include"Response
Success (200 OK)
Response
{
"success": true
}The refresh token cookie is cleared and cannot be used again.
Errors
Unauthorized (401)
Error
{
"success": false,
"message": "Unauthorized"
}Rate limited (429)
Error
{
"success": false,
"message": "Too many requests"
}Notes
- After logout, refresh requests will fail
- Clients should discard any stored access tokens
- This endpoint is idempotent
Related APIs
- POST
/api/auth/login– Start a session - POST
/api/auth/refresh– Refresh access token