Logout flow

Authentication · Logout flow

It is important to read the sections Why this shape and Reference example and production readiness on Authentication before relying on this page. They explain why the default BFF-centred pattern exists, how you can extend or replace it, and what the reference implementation does and does not promise for production.

This page describes logout: the BFF asks the auth integration to revoke tokens when it can, clears auth cookies, and removes all cart and wishlist ID cookies the BFF manages. CSRF is required, and a successful response runs CsrfTokenCleanupInterceptor. Contract: logout.ts.

Logout process

1. CSRF token — Same as Login flow.

2. Logout request — POST /auth/logout with CSRF header and cookie.

3. CSRF validation — Same as login.

4. Token revocation — The BFF reads tokens from cookies and asks the auth provider to revoke access and refresh tokens in parallel—for example logout.service.ts in the reference commercetools-auth package uses Promise.allSettled so one failure does not block the other. Local cleanup still runs if revocation fails.

5. Cookie cleanup — AuthService.logout clears auth tokens and removes all cart ID and wishlist ID cookies. The controller does not wrap this route with handleAuthWithCartSetup (used on Login flow and Register flow); teardown stays in AuthService.logout.

6. Response — The BFF returns success; the presentation app updates the UI. The call is idempotent (it can succeed even when no tokens are present).

Error handling

• Missing tokens — Logout still completes and cookies are cleared.
• Revocation errors — Errors are logged; local session data is cleared anyway.

Related

• CSRF protection
• Tokens
• Cart

Back to Authentication · Back to How to work with SHOPin