POST /api/logout
Disconnects the user and invalidates the refresh token.
Endpoint
POST /api/logout
Headers
| Header | Value | Required |
|---|---|---|
| Authorization | Bearer {token} | Yes |
| Content-Type | application/json | Yes |
Request Body
{
"refresh_token": "string"
}
| Field | Type | Required | Description |
|---|---|---|---|
| refresh_token | string | No | Refresh token to invalidate |
Success Response
Code: 200 OK
{
"message": "Successfully logged out"
}
Error Responses
401 Unauthorized - Invalid token
{
"code": 401,
"message": "JWT Token not found"
}
Examples
cURL
curl -X POST https://sig.ucp-pch.org/api/logout \
-H "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9..." \
-H "Content-Type: application/json" \
-d '{
"refresh_token": "d1f2a3b4c5e6f7g8h9i0j1k2l3m4n5o6p7q8r9s0"
}'
JavaScript
const logout = async () => {
const token = localStorage.getItem('token');
const refreshToken = localStorage.getItem('refresh_token');
try {
await fetch('https://sig.ucp-pch.org/api/logout', {
method: 'POST',
headers: {
'Authorization': `Bearer ${token}`,
'Content-Type': 'application/json'
},
body: JSON.stringify({
refresh_token: refreshToken
})
});
} finally {
// Always clean up local storage
localStorage.removeItem('token');
localStorage.removeItem('refresh_token');
// Redirect to login page
window.location.href = '/login';
}
};
Python
import requests
token = "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9..."
refresh_token = "d1f2a3b4c5e6f7g8h9i0j1k2l3m4n5o6p7q8r9s0"
response = requests.post(
'https://sig.ucp-pch.org/api/logout',
headers={
'Authorization': f'Bearer {token}',
'Content-Type': 'application/json'
},
json={
'refresh_token': refresh_token
}
)
if response.status_code == 200:
print("Successfully logged out")
Behavior
Server side
- The refresh token is invalidated in the database
- Already issued JWT tokens remain valid until their natural expiration
- The user will need to reconnect to obtain new tokens
Client side
After logout, the client must:
- Delete the access token from storage
- Delete the refresh token from storage
- Redirect the user to the login page
- Clean up any application state related to the user
Notes
- Logout is recommended before closing the application
- Even without calling the logout API, the token naturally expires after 1 hour
- For maximum security, always call the logout API to invalidate the refresh token