Skip to main content
Version: v0.7

User Logout

Ory Kratos supports two logout flows:

  • Browser-based (easy): This flow works for all applications running on top of a browser. Websites, single-page apps, Cordova/Ionic, and so on.
  • API-based (advanced): This flow works for native applications like iOS (Swift), Android (Java), Microsoft (.NET), React Native, Electron, and others.

Self-Service Logout for Server-Side Browser Applications

To ensure that a logout was indeed intended by the user, Ory Kratos first generates a Logout URL for a given Ory Session Cookie. You can then open the Logout URL in the Browser.

After successful logout, the browser will be redirected either to the return_to query parameter from the initial request URL, or fall back to the default_browser_return_url value set in Ory Kratos' configuration file:

# kratos.yaml
import { Configuration, V0alpha1Api } from '@ory/kratos-client';
const kratos = new V0alpha1Api(new Configuration({ basePath: '' }));

const route = (req: Request, res: Response) => {
kratos.createSelfServiceLogoutFlowUrlForBrowsers(req.cookies['ory_kratos_session']).then(({data}) => {
.then(({ data }) => {
console.log(data.logout_url) // The logout URL

// You can render the logout URL like so:
// <a href="{{data.logout_url}}>Logout</a>

If an error occurs, the browser is redirected to the Error UI.

Self-Service Logout for Client-Side Browser Applications

Similar to Server-Side Browser Applications, Ory Kratos first generates a Logout URL for a given Ory Session Cookie. However, you can simply call the Logout URL using an AJAX request. Ory Kratos returns a 204 No Content response on success or an error otherwise.

Self-Service Logout for API Clients

API clients (e.g. native mobile apps) use Ory Session Tokens. To revoke such a token, call the logout API endpoint:

# Set your token here

curl -s -v -X DELETE \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
--data '{"session_token": "'$session_token'"}' \

> DELETE /self-service/logout/api HTTP/1.1
> Host:
> User-Agent: curl/7.64.1
> Accept: application/json
> Content-Type: application/json
> Content-Length: 53

< HTTP/1.1 204 No Content
< Cache-Control: private, no-cache, no-store, must-revalidate
< Vary: Cookie
< Date: Fri, 18 Jun 2021 09:42:04 GMT