Skip to main content
The logout flow enables users to terminate their sessions and sign out of their accounts.

Create logout URL for browsers

curl -X GET 'https://your-project.projects.oryapis.com/self-service/logout/browser' \
  -H 'Accept: application/json' \
  -H 'Cookie: ory_kratos_session=...'

Endpoint

GET /self-service/logout/browser
Initializes a browser-based logout flow. Returns a logout token that must be used to complete the logout.
This endpoint is only for browser clients. For API clients (mobile apps, etc.), use the /self-service/logout/api endpoint instead.

Query parameters

return_to
string
URL to redirect the browser to after logout completion.

Headers

cookie
string
required
Session cookie. If missing or invalid, returns 401 error.

Response

logout_token
string
required
Logout token to be used when calling the logout endpoint.
logout_url
string
required
The URL to perform the logout. Typically GET /self-service/logout?token=....
{
  "logout_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "logout_url": "https://your-project.projects.oryapis.com/self-service/logout?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
}

Status codes

StatusDescription
200Logout flow initialized, returns logout token
400Invalid request
401No active session
500Internal server error

Usage

After receiving the logout token, redirect the user’s browser to the logout_url or call the logout endpoint with the token: 
<!-- Option 1: Redirect -->
<a href="{{ logout_url }}">Sign Out</a>

<!-- Option 2: Call endpoint -->
<script>
  fetch('/self-service/logout?token=' + logoutToken)
    .then(() => window.location.href = '/login')
</script>

Perform logout for browsers

curl -X GET 'https://your-project.projects.oryapis.com/self-service/logout?token=logout-token' \
  -H 'Cookie: ory_kratos_session=...'

Endpoint

GET /self-service/logout
Logs out an identity in a self-service manner using a logout token.

Query parameters

token
string
required
The logout token from the /self-service/logout/browser endpoint.
return_to
string
URL to redirect to after logout. Overrides the return_to from flow initialization.

Headers

Cookie
string
Session cookie.

Response

The response depends on the Accept header: Without Accept: application/json:
  • 303 redirect to the return_to URL or default redirect URL
  • Session cookie is cleared
With Accept: application/json:
  • 204 No Content on successful logout
  • No response body
  • Session cookie is cleared

Status codes

StatusDescription
204Successful logout (JSON requests)
303Redirect to return_to URL (browser requests)

Perform logout for native apps

curl -X DELETE 'https://your-project.projects.oryapis.com/self-service/logout/api' \
  -H 'Content-Type: application/json' \
  -d '{
    "session_token": "your-session-token"
  }'

Endpoint

DELETE /self-service/logout/api
Revokes a session token for native apps. This endpoint does not remove HTTP cookies.
This endpoint is only for API clients (mobile apps, CLIs, etc.). For browser applications, use the browser logout flow to ensure cookies are properly cleared.

Request body

session_token
string
required
The Ory Session Token to revoke.
{
  "session_token": "your-session-token"
}

Response

Returns 204 No Content on success. A 204 response is also returned if the session token was already revoked.

Status codes

StatusDescription
204Session token revoked successfully
400Invalid request or malformed token
403Token is invalid or does not exist

Usage example

// Mobile app logout
const sessionToken = await AsyncStorage.getItem('session_token')

await fetch('https://your-project.projects.oryapis.com/self-service/logout/api', {
  method: 'DELETE',
  headers: {
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({ session_token: sessionToken })
})

// Clear local storage
await AsyncStorage.removeItem('session_token')

// Navigate to login screen
navigation.navigate('Login')

Browser vs API logout comparison

FeatureBrowser flowAPI flow
EndpointGET /self-service/logout/browser then GET /self-service/logoutDELETE /self-service/logout/api
AuthenticationSession cookieSession token in request body
ResponseRedirect or 204204 No Content
CookiesClears HTTP cookiesDoes not affect cookies
Use caseWeb applicationsMobile apps, CLIs, backend services

Security considerations

Browser logout

  • Always use the two-step process: get token, then logout with token
  • The logout token is short-lived and single-use
  • Session cookies are properly cleared on logout
  • CSRF protection is maintained through the token mechanism

API logout

  • Store session tokens securely (encrypted storage, keychain, etc.)
  • Clear session tokens from local storage after logout
  • Session token revocation is immediate
  • Consider implementing token refresh for long-lived sessions

Error handling

Both logout endpoints are designed to be idempotent:
  • Logging out an already-logged-out session returns success (204)
  • Using an invalid token returns an error
  • Using an expired token returns an error
Always handle logout errors gracefully and clean up local state regardless of the API response.

Build docs developers (and LLMs) love

Get started for freeTalk to us