The Logout endpoints enable the RP-initiated logout functionality for users in your application. Refer to Single Logout section for more details on how to handle RP-initiated or IdP-initiated logout.
revocation_endpoint and end_session_endpoint
in the discovery document.
You should call this endpoint from your server to generate a logout token which is required for the Logout Redirect endpoint.
curl --request POST \ --url "https://auth.workos.com/sso/logout/authorize" \ --header "Authorization: Bearer sk_example_123456789" \ --header "Content-Type: application/json" \ -d @- <<'BODY' { "profile_id": "prof_01HXYZ123456789ABCDEFGHIJ" } BODY
{ "logout_url": "https://auth.workos.com/sso/logout?token=eyJhbGciOiJSUzI1NiJ9", "logout_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJwcm9maWxlX2lkIjoicHJvZl8wMUdXUTFHMEgyRk02QVNFRjBIUzEzSENXOS0zMDRrZzAzZyIsImV4cCI6IjE1MTYyMzkwMjIifQ.Wru9Qlnf5DpohtGCKhZU4cVOd3zpiu7QQ-XEX--5A_4" }
| curl --request POST \ | |
| --url "https://auth.workos.com/sso/logout/authorize" \ | |
| --header "Authorization: Bearer sk_example_123456789" \ | |
| --header "Content-Type: application/json" \ | |
| -d @- <<'BODY' | |
| { | |
| "profile_id": "prof_01HXYZ123456789ABCDEFGHIJ" | |
| } | |
| BODY |
| require "workos" | |
| WorkOS.configure do |config| | |
| config.api_key = "sk_example_123456789" | |
| end | |
| WorkOS.client.sso.authorize_logout(profile_id: "prof_01HXYZ123456789ABCDEFGHIJ") |
| from workos import WorkOSClient | |
| client = WorkOSClient(api_key="sk_example_123456789", client_id="client_123456789") | |
| client.sso.authorize_logout(profile_id="prof_01HXYZ123456789ABCDEFGHIJ") |
| package main | |
| import ( | |
| "context" | |
| "github.com/workos/workos-go/v9" | |
| ) | |
| func main() { | |
| client := workos.NewClient("sk_example_123456789") | |
| _, err := client.SSO().AuthorizeLogout(context.Background(), &workos.SSOAuthorizeLogoutParams{ | |
| ProfileID: "prof_01HXYZ123456789ABCDEFGHIJ", | |
| }) | |
| if err != nil { | |
| panic(err) | |
| } | |
| } |
| <?php | |
| use WorkOS\WorkOS; | |
| $workos = new WorkOS( | |
| apiKey: "sk_example_123456789", | |
| clientId: "client_123456789", | |
| ); | |
| $workos->sso()->authorizeLogout(profileId: "prof_01HXYZ123456789ABCDEFGHIJ"); |
| import com.workos.WorkOS; | |
| import com.workos.sso.SSOApi.AuthorizeLogoutOptions; | |
| WorkOS workos = new WorkOS("sk_example_123456789"); | |
| AuthorizeLogoutOptions options = | |
| AuthorizeLogoutOptions.builder().profileId("prof_01HXYZ123456789ABCDEFGHIJ").build(); | |
| workos.sso.authorizeLogout(options); |
| using WorkOS; | |
| var client = new WorkOSClient(new WorkOSOptions { | |
| ApiKey = "sk_example_123456789", | |
| ClientId = "client_123456789", | |
| }); | |
| await client.SSO.AuthorizeLogoutAsync(new SSOAuthorizeLogoutOptions { | |
| ProfileId = "prof_01HXYZ123456789ABCDEFGHIJ", | |
| }); |
| use workos::Client; | |
| use workos::sso::AuthorizeLogoutParams; | |
| #[tokio::main] | |
| async fn main() -> Result<(), workos::Error> { | |
| let client = Client::builder() | |
| .api_key("sk_example_123456789") | |
| .client_id("client_123456789") | |
| .build(); | |
| let _result = client | |
| .sso() | |
| .authorize_logout( | |
| AuthorizeLogoutParams { | |
| profile_id: "prof_01HXYZ123456789ABCDEFGHIJ".into(), | |
| ..Default::default() | |
| } | |
| ) | |
| .await?; | |
| Ok(()) | |
| } |
| { | |
| "logout_url": "https://auth.workos.com/sso/logout?token=eyJhbGciOiJSUzI1NiJ9", | |
| "logout_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJwcm9maWxlX2lkIjoicHJvZl8wMUdXUTFHMEgyRk02QVNFRjBIUzEzSENXOS0zMDRrZzAzZyIsImV4cCI6IjE1MTYyMzkwMjIifQ.Wru9Qlnf5DpohtGCKhZU4cVOd3zpiu7QQ-XEX--5A_4" | |
| } |
POST/ssoReturns Logout allows to sign out a user from your application by triggering the identity provider sign out flow.
This GET endpoint should be a redirection, since the identity provider user will be identified in the browser session.
Before redirecting to this endpoint, you need to generate a short-lived logout token using the Logout Authorize endpoint.
curl "https://auth.workos.com/sso/logout" \ -G \ -d token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJwcm9maWxlX2lkIjoicHJvZl8wMUdXUTFHMEgyRk02QVNFRjBIUzEzSENXOS0zMDRrZzAzZyIsImV4cCI6IjE1MTYyMzkwMjIifQ.Wru9Qlnf5DpohtGCKhZU4cVOd3zpiu7QQ-XEX--5A_4
| curl "https://auth.workos.com/sso/logout" \ | |
| -G \ | |
| -d token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJwcm9maWxlX2lkIjoicHJvZl8wMUdXUTFHMEgyRk02QVNFRjBIUzEzSENXOS0zMDRrZzAzZyIsImV4cCI6IjE1MTYyMzkwMjIifQ.Wru9Qlnf5DpohtGCKhZU4cVOd3zpiu7QQ-XEX--5A_4 |
GET/ssoParameters