Skip to content

Logout & Refresh

Logout

POST /auth/logout
Authorization: Bearer <access_token>
{ "refresh_token": "..." }

Request body is optional — pass refresh_token to revoke it alongside the access token; omit it to only revoke the access token (the refresh token remains valid until it naturally expires).

Both tokens, once revoked, are checked against the blacklist on every subsequent verification — a logged-out token cannot be used again even if it hasn't technically expired.

Returns 204 No Content.

Refresh

POST /auth/refresh
{ "refresh_token": "..." }

{
  "access_token": "...",
  "refresh_token": "...",
  "token_type": "bearer"
}

When WardenConfig.enable_refresh_rotation=True (the default), the old refresh token is blacklisted as part of this call — it cannot be reused. If a stolen refresh token gets used once by an attacker and once by the real user, whichever request lands second gets TokenRevoked, which is a useful signal that something's wrong.

Errors

Status Exception When
400 TokenExpired
401 TokenRevoked Token already used (rotation) or explicitly logged out.
400 InvalidToken Malformed, wrong type, or the underlying user is now inactive/deleted.