Skip to main content
Version: v0.7

User Logout

Ory Kratos supports two logout flows:

  • Browser-based (easy): This flow works for all applications running on top of a browser. Websites, single-page apps, Cordova/Ionic, and so on.
  • API-based (advanced): This flow works for native applications like iOS (Swift), Android (Java), Microsoft (.NET), React Native, Electron, and others.

Self-Service Logout for Server-Side Browser Applications#

To ensure that a logout was indeed intended by the user, Ory Kratos first generates a Logout URL for a given Ory Session Cookie. You can then open the Logout URL in the Browser.

After successful logout, the browser will be redirected either to the return_to query parameter from the initial request URL, or fall back to the default_browser_return_url value set in Ory Kratos' configuration file:

# kratos.yamlselfservice:  flows:    logout:      after:        default_browser_return_url:
import { Configuration, V0alpha1Api } from '@ory/kratos-client';const kratos = new V0alpha1Api(new Configuration({ basePath: '' }));
const route = (req: Request, res: Response) => {  kratos.createSelfServiceLogoutFlowUrlForBrowsers(req.cookies['ory_kratos_session']).then(({data}) => {    .then(({ data }) => {      console.log(data.logout_url) // The logout URL
      // You can render the logout URL like so:      // <a href="{{data.logout_url}}>Logout</a>    })}

If an error occurs, the browser is redirected to the Error UI.

Self-Service Logout for Client-Side Browser Applications#

Similar to Server-Side Browser Applications, Ory Kratos first generates a Logout URL for a given Ory Session Cookie. However, you can simply call the Logout URL using an AJAX request. Ory Kratos returns a 204 No Content response on success or an error otherwise.

Self-Service Logout for API Clients#

API clients (e.g. native mobile apps) use Ory Session Tokens. To revoke such a token, call the logout API endpoint:

# Set your token heresession_token=8ziz8oCx0dsgXnoJJgElTQ60cNnbohAr
curl -s -v -X DELETE \  -H "Accept: application/json" \  -H "Content-Type: application/json" \  --data '{"session_token": "'$session_token'"}' \
> DELETE /self-service/logout/api HTTP/1.1> Host:> User-Agent: curl/7.64.1> Accept: application/json> Content-Type: application/json> Content-Length: 53
< HTTP/1.1 204 No Content< Cache-Control: private, no-cache, no-store, must-revalidate< Vary: Cookie< Date: Fri, 18 Jun 2021 09:42:04 GMT