Logout

The Logout endpoints enable the RP-initiated logout functionality for users in your application. Refer to Single Logout section for more details on how to handle RP-initiated or IdP-initiated logout.

Please note that the Logout feature is only available for Custom Open ID connections that provide specific logout features. These features include the presence of the revocation_endpoint and end_session_endpoint in the discovery document.

Logout Authorize

You should call this endpoint from your server to generate a logout token which is required for the Logout Redirect endpoint.

cURL

 curl --request POST \
  --url "https://auth.workos.com/sso/logout/authorize" \
  --header "Authorization: Bearer sk_example_123456789" \
  --header "Content-Type: application/json" \
  -d @- <<'BODY'
    {
        "profile_id": "prof_01HXYZ123456789ABCDEFGHIJ"
    }
BODY

POST

`/sso/logout/authorize`

`Returns`

Logout Redirect

Logout allows to sign out a user from your application by triggering the identity provider sign out flow. This GET endpoint should be a redirection, since the identity provider user will be identified in the browser session.

Before redirecting to this endpoint, you need to generate a short-lived logout token using the Logout Authorize endpoint.

cURL

 curl "https://auth.workos.com/sso/logout" \
  -G \
  -d token=eyJhbGciOiJSUzI1NiJ9

GET

`/sso/logout`

`Parameters`

VaultContinue to the next section

Up next

Logout

Logout Authorize

/sso/logout/authorize

profile_id: string

Returns

logout_url: string

logout_token: string

Logout Redirect

/sso/logout

Parameters

token: string

`/sso/logout/authorize`

`Returns`

`/sso/logout`

`Parameters`