Octopus Cards
Authentication

Logout

Revoke all tokens for the authenticated client

POST /auth/logout

Revoke all active tokens (both access and refresh) for the authenticated client. Requires a valid access token in the Authorization header.

Request

curl -X POST {{host}}/auth/logout \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIs..."
package main

import (
    "encoding/json"
    "fmt"
    "net/http"
)

func main() {
    req, _ := http.NewRequest("POST", "{{host}}/auth/logout", nil)
    req.Header.Set("Authorization", "Bearer eyJhbGciOiJIUzI1NiIs...")

    resp, err := http.DefaultClient.Do(req)
    if err != nil {
        panic(err)
    }
    defer resp.Body.Close()

    var result struct {
        Success bool `json:"success"`
        Data    struct {
            Message string `json:"message"`
        } `json:"data"`
    }
    json.NewDecoder(resp.Body).Decode(&result)

    fmt.Println(result.Data.Message)
}

No request body is required.

Request Parameters

KeyTypeRequiredDescription
Authorization headerstringYesBearer {access_token} — a valid JWT access token

Response

{
  "success": true,
  "data": {
    "message": "Successfully logged out"
  }
}

Response Fields

KeyTypeDescription
successbooleanAlways true on success
data.messagestringConfirmation message

All tokens for the client are revoked — not just the one used in the request. After logout, both the access token and any refresh tokens will stop working. To use the API again, call login to obtain new tokens.

Errors

401 Unauthorized — No Authorization header provided.

{
  "error": {
    "name": "UnauthorizedError",
    "code": "UNAUTHORIZED",
    "message": "Authorization header required"
  }
}

The Authorization: Bearer {token} header must be present on every request to this endpoint.

401 Unauthorized — Token is not valid.

{
  "error": {
    "name": "UnauthorizedError",
    "code": "UNAUTHORIZED",
    "message": "Invalid token"
  }
}

Returned when the JWT signature is invalid, the token does not exist in the system, or the token has already been revoked.

401 Unauthorized — The access token has expired.

{
  "error": {
    "name": "UnauthorizedError",
    "code": "UNAUTHORIZED",
    "message": "Token expired"
  }
}

Access tokens are valid for 1 hour. If expired, call refresh first, then retry logout with the new access token.

403 Forbidden — Request IP is not in the client's whitelist.

{
  "error": {
    "name": "ForbiddenError",
    "code": "FORBIDDEN",
    "message": "IP address not authorized"
  }
}

Returned when the client has IP whitelist entries configured and the request IP does not match any allowed CIDR range.

Refresh Token

Exchange a refresh token for a new access and refresh token pair

Reference Data

Countries, currencies, categories, and subcategories — static lookup data for the platform

On this page

POST /auth/logout
Request
Request Parameters
Response
Response Fields
Errors