Logout

Logout revokes the user's refresh token, preventing further token refresh operations. The access token remains valid until its natural expiration (default: 15 minutes) but cannot be renewed.

Request

curl -X POST http://localhost:8081/api/v1/auth/logout \
  -H "Content-Type: application/json" \
  -d '{
    "refreshToken": "eyJhbGciOiJIUzI1NiJ9..."
  }'

Request Schema

Response (204 No Content)

Empty response body on success.

Implementation

@Transactional
public void logout(String refreshToken) {
    refreshTokenRepository.findByToken(refreshToken)
        .ifPresent(token -> {
            token.revoke("User logout");
            refreshTokenRepository.save(token);
            log.info("User logged out: {}", token.getUser().getEmail());
        });
}

The logout is graceful -- if the refresh token is not found (already expired or revoked), the operation succeeds silently.

The AuthenticationService also supports revoking all refresh tokens for a user, effectively logging them out of all devices:

@Transactional
public void logoutAll(Long userId) {
    int revokedCount = refreshTokenRepository.revokeAllByUserId(
        userId, Instant.now(), "Logout from all devices"
    );
    log.info("Revoked {} refresh tokens for user ID: {}", revokedCount, userId);
}

This operation is typically triggered from the Session Management interface where users can revoke all sessions.

Post-Logout Behavior

After logout:

• The refresh token is marked as revoked with a reason and timestamp
• Any attempt to use the revoked refresh token returns a 401 error
• The access token continues to work until it expires naturally
• For immediate access revocation, clients should also call the session revocation endpoint

Security Notes

• Logout does not invalidate the access token. For immediate revocation, use the session revocation endpoints
• The reason for revocation ("User logout") is recorded for audit purposes
• Logout from all devices revokes all tokens in all token families for the user