POST /v1/auth/logout
https://api.triport.io/v1/auth/logoutRevokes the current console session and clears the `nl_session` cookie.
Ends the caller's console session. The server looks up the session row by the
token carried in the nl_session cookie, marks it revoked in the database, and
then instructs the browser to clear the nl_session cookie. On success the
response body is simply { "ok": true }.
This is a console (dashboard) endpoint, not an RPC endpoint — it uses the same
cookie-session scheme as the rest of /v1/auth/*. There is no API-key or
Bearer-token form. Because logout is a mutating request, it requires the
X-CSRF-Token header whose value must match the nl_csrf cookie that was set
at login.
The call is idempotent: if the session token is already revoked, expired, or
simply absent, the server still returns { "ok": true } and clears the cookie.
Retry on failure. If the database revoke fails, the endpoint returns
500 logout_failedand does not clear thenl_sessioncookie. This is deliberate — clearing the cookie while the session row is still valid (revoked_at IS NULL) would leave a dangling, still-authenticating session behind. The client must retry until it receives a success response.
Parameters
This endpoint takes no path params, query params, or request body. The caller is identified entirely by the request cookies and CSRF header.
nl_sessionrequirednl_csrfrequiredX-CSRF-Tokenrequirednl_csrf cookie value.Response
Response fields
| Field | Type | Description |
|---|---|---|
ok | boolean | Always true on success. The nl_session cookie is cleared via Set-Cookie on the same response. |
Errors
| Code | HTTP status | Meaning | When it happens |
|---|---|---|---|
logout_failed | 500 | The session revoke did not complete. | A transient database error while revoking the session row. The cookie is not cleared — retry the request. |
method_not_allowed | 405 | Wrong HTTP method. | The request used a verb other than POST. |
Errors use the shared error envelope { "error": "<code>" }. See
errors.md for the full envelope and handling guidance.
Examples
JavaScript (fetch)
function readCookie(name) {
const m = document.cookie.match(new RegExp(`(?:^|; )${name}=([^;]*)`));
return m ? decodeURIComponent(m[1]) : null;
}
await fetch("https://api.triport.io/v1/auth/logout", {
method: "POST",
credentials: "include",
headers: {
"Content-Type": "application/json",
"X-CSRF-Token": readCookie("nl_csrf") ?? "",
},
});TypeScript SDK (@triport/sdk)
import { TriportConsole } from "@triport/sdk";
const console = new TriportConsole({ baseUrl: "https://api.triport.io" });
// Revokes the active session and clears the session cookie.
await console.auth.logout();Python (triport-sdk)
from triport import ConsoleClient
console = ConsoleClient(base_url="https://api.triport.io")
# Session cookie + CSRF are managed by the client.
console.auth.logout()Notes
- Best-effort on the client, exact on the server. Frontends often clear local
auth state regardless of the network outcome, but the session row is only
invalidated once this endpoint returns success — so keep retrying after a
logout_failedto avoid leaving a usable session behind. - Idempotent. Calling logout twice, or after the session has already expired,
is safe and returns
{ "ok": true }. - Related: me.md (inspect the current session) and the authentication overview.