Does api/logout revoke the bearer/refresh token?

joshua

Does api/logout revoke the bearer/refresh token?

https://fusionauth.io/docs/v1/tech/apis/login/#logout-a-user

joshua

The short answer is no, it does not.

twilkinson

The link you mention in your first post (https://fusionauth.io/docs/v1/tech/apis/login/#logout-a-user) has the following paragraph.

"The refresh token is only revoked if the request contains the refresh_token cookie or the refreshToken request parameter."

Does that not mean that, if you supply the refreshToken request parameter, then logout will revoke it?

joshua

@twilkinson,

Hello again!

Yes, this is how I read that as well from the documentation. You could also test that logout is enforcing the behavior that you are seeking by using the browser console to check for cookies. Or if not storing the token in cookies, checking the relevant location and/or behavior to ensure that the user's refresh/access tokens are properly removed/invalidated.

Based on the documentation, you should provide the refreshToken in the request to invalidate, as seen below:

Thanks,
Josh

 

Related Links

https://fusionauth.io/community/forum/topic/270/logout-questions/5