Logout
This endpoint provides a mechanism to invalidate the user's session held by FusionAuth, this effectively logs the user out of the FusionAuth SSO and any applications by calling a application specific URL.
Calling this endpoint does not revoke refresh tokens or JWTs. You can revoke the former by using the Revoke Refresh Tokens API. To revoke JWTs, implement a revocation strategy.
Since 1.10.0 The logout behavior follows that of the OpenID Connect Front-Channel Logout specification.
The Logout URL used for each application is determined using the following precedence:
- The logoutURL of the Application if defined.
- The logoutURL configured on the Tenant if defined.
/
You can learn more about this behavior in the Logout And Session Management guide.
Request#
Request Parameters#
client_idStringoptionalThe unique client identifier. The client Id is the Id of the FusionAuth Application in which you are requesting to logout, this value is used to identify the correct redirect URI.
Generally speaking this parameter is required, if you are using the id_token_hint, this parameter becomes redundant because the application can be identified based upon the id_token.
If you do not provide the id_token_hint and you also omit this parameter, the request will not fail, but the logout URL defined in the Tenant configuration will be utilized.
If the Tenant logout URL is not defined, the request will result in a redirect to the current base URL at the root path of /.
id_token_hintStringoptionalAvailable since 1.10.0The id_token_hint parameter as described in the OpenID Connect Session Management specification.
This is the previously issued id_token passed to the logout endpoint as a hint about the End-User's current authenticated session with the Client.
This parameter is only used if client_id is not provided.
Note that prior to version 1.37.0 this parameter would only work if it was not expired. This was corrected in version 1.37.0 and as long as the token is signed by FusionAuth, even if expired, the token can be used to identify the user and application during the logout request.
post_logout_redirect_uriStringoptionalAvailable since 1.10.0The URI to redirect to upon a successful logout. This URI must have been configured previously in the FusionAuth Application OAuth configuration as an Authorized Redirect URL. See the Core Concepts OAuth section for additional information on configuring redirect URIs.
If this parameter is omitted, the logout URL defined in the Application OAuth configuration will be utilized.
If an Application OAuth logout URL is not defined, the logout URL defined in the Tenant configuration will be utilized.
If the Tenant logout URL is not defined, the request will result in a redirect to the current base URL at the root path of /.
stateStringoptionalAvailable since 1.10.0The state parameter as described in the OpenID Connect Session Management specification.
This is an opaque value used to maintain state between the logout request and the callback.
tenantIdUUIDrequiredAvailable since 1.8.0The unique Tenant Id used for applying the proper theme.
Available since version 1.37.0
Request Body#
client_idStringoptionalThe unique client identifier. The client Id is the Id of the FusionAuth Application in which you are requesting to logout, this value is used to identify the correct redirect URI.
Generally speaking this parameter is required, if you are using the id_token_hint, this parameter becomes redundant because the application can be identified based upon the id_token.
If you do not provide the id_token_hint and you also omit this parameter, the request will not fail, but the logout URL defined in the Tenant configuration will be utilized.
If the Tenant logout URL is not defined, the request will result in a redirect to the current base URL at the root path of /.
id_token_hintStringoptionalThe id_token_hint parameter as described in the OpenID Connect Session Management specification.
This is the previously issued id_token passed to the logout endpoint as a hint about the End-User's current authenticated session with the Client.
This parameter is only used if client_id is not provided.
Note that prior to version 1.37.0 this parameter would only work if it was not expired. This was corrected in version 1.37.0 and as long as the token is signed by FusionAuth, even if expired, the token can be used to identify the user and application during the logout request.
post_logout_redirect_uriStringoptionalThe URI to redirect to upon a successful logout. This URI must have been configured previously in the FusionAuth Application OAuth configuration as an Authorized Redirect URL. See the Core Concepts OAuth section for additional information on configuring redirect URIs.
If this parameter is omitted, the logout URL defined in the Application OAuth configuration will be utilized.
If an Application OAuth logout URL is not defined, the logout URL defined in the Tenant configuration will be utilized.
If the Tenant logout URL is not defined, the request will result in a redirect to the current base URL at the root path of /.
stateStringoptionalThe state parameter as described in the OpenID Connect Session Management specification.
This is an opaque value used to maintain state between the logout request and the callback.
tenantIdUUIDrequiredThe unique Tenant Id used for applying the proper theme.
Response#
Response Codes
| Code | Description |
|---|---|
| 302 | The request was successful and the redirect location will be determined by using the configuration values in the following precedence: * The post_logout_redirect_uri request parameter if present* The logoutURL defined in the Application OAuth configuration * The logoutURL defined in the Tenant OAuth configuration * / |
| 400 | The request was invalid and/or malformed. The response will contain a JSON message with the specific errors. The error response JSON is covered in the OAuth Error section of the API documentation. |
| 500 | There was a FusionAuth internal error. A stack trace is provided and logged in the FusionAuth log files. |
| 503 | The search index is not available or encountered an exception so the request cannot be completed. The response will contain a JSON body. |