Logout

Revoke a refresh token and end the user's session.

Request

POST /api/v1/auth/logout

Authentication

Public - No authentication required (refresh token is optional in request body).

Request Body

{
  "refreshToken": "f47ac10b-58cc-4372-a567-0e02b2c3d479"
}

Name	Type	Required	Description
refreshToken	string	No	Refresh token to revoke (if not provided, request still succeeds)

Response

Success Response (200 OK)

{}

The endpoint returns an empty response body with a 200 OK status code.

Response Behavior

If a valid refresh token is provided, it will be revoked and cannot be used for future token refresh requests
If no refresh token is provided, the request succeeds but no token is revoked
If an invalid or already-revoked refresh token is provided, the request still succeeds (idempotent)
Access tokens remain valid until they expire naturally (they cannot be revoked server-side)

Error Responses

Status Code	Description
400 Bad Request	Malformed request body
429 Too Many Requests	Rate limit exceeded
500 Internal Server Error	Server error occurred

Usage Notes

Client-Side Cleanup

When logging out, ensure you perform the following cleanup on the client side:

Call this endpoint to revoke the refresh token
Delete the refresh token from local storage
Delete the access token from memory/storage
Clear any cached user data
Redirect to the login page

Access Token Validity

Access tokens remain valid until they expire. Since EntryGuard uses short-lived access tokens (typically 1 hour), this poses minimal security risk. If immediate token revocation is critical for your use case, consider:

Using shorter access token expiration times
Implementing additional server-side session tracking
Forcing users to re-authenticate for sensitive operations

Example

Logout Request

curl -X POST https://api.entryguard.io/api/v1/auth/logout \
  -H "Content-Type: application/json" \
  -d '{
    "refreshToken": "f47ac10b-58cc-4372-a567-0e02b2c3d479"
  }'

Example Response

{}

Logout Without Refresh Token

curl -X POST https://api.entryguard.io/api/v1/auth/logout \
  -H "Content-Type: application/json" \
  -d '{}'

This is useful for client-side cleanup when the refresh token is no longer available or has already been revoked.

Complete Logout Flow Example

// JavaScript example
async function logout() {
  const refreshToken = localStorage.getItem('refreshToken');

  try {
    // Revoke refresh token on server
    await fetch('https://api.entryguard.io/api/v1/auth/logout', {
      method: 'POST',
      headers: {
        'Content-Type': 'application/json'
      },
      body: JSON.stringify({ refreshToken })
    });
  } catch (error) {
    console.error('Logout error:', error);
    // Continue with client-side cleanup even if server call fails
  }

  // Client-side cleanup
  localStorage.removeItem('refreshToken');
  localStorage.removeItem('accessToken');
  localStorage.removeItem('user');

  // Redirect to login
  window.location.href = '/login';
}

Request​

Authentication​

Request Body​

Response​

Success Response (200 OK)​

Response Behavior​

Error Responses​

Usage Notes​

Client-Side Cleanup​

Access Token Validity​

Example​

Logout Request​

Example Response​

Logout Without Refresh Token​

Complete Logout Flow Example​