Skip to content
Scalekit Docs
Go to Dashboard

Secure logout

Securely logging a user out is a critical part of session management. A complete logout process involves two main actions:

  1. Clearing the application session: Removing session tokens from your application’s storage (e.g., browser cookies and backend database).
  2. Invalidating the Scalekit session: Informing Scalekit to end the user’s session on its servers.

This is the standard flow where a user clicks a “Logout” button in your application.

  1. Your application should have an endpoint, like /logout, that handles the logout logic.

  2. First, clear all session data stored by your application. This includes the accessToken from cookies and the refreshToken from your database.

    Express.js
    // A function to clear session data
    async function clearSessionData(res, userId) {
    // Clear the access token cookie
    res.clearCookie('accessToken');
    // Remove the refresh token from your database
    await db.deleteRefreshToken(userId);
    }
    app.get('/logout', (req, res) => {
    // Assuming you have the user's ID from a verified session
    const userId = req.user.id;
    const idToken = req.cookies.idToken; // Or retrieve from session
    clearSessionData(res, userId);
    // Proceed to invalidate the Scalekit session...
    });
  3. After clearing your local session, redirect the user to the Scalekit logout endpoint. This will invalidate their session on Scalekit’s servers and then redirect them back to your application.

    The Scalekit logout endpoint signature is:

    {SCALEKIT_ENV_URL}/oidc/logout?id_token_hint={idToken}&post_logout_redirect_uri={postLogoutRedirectUri}
    • Replace {SCALEKIT_ENV_URL} with your Scalekit environment URL (e.g., https://app.scalekit.com).
    • {idToken} is the user’s ID token.
    • {postLogoutRedirectUri} is the URL to redirect to after logout (must be registered in Scalekit).
    Express.js
    app.get('/logout', (req, res) => {
    const userId = req.user.id;
    const idTokenHint = req.cookies.idToken;
    const postLogoutRedirectUri = 'http://localhost:3000/login';
    // Clear local session data
    clearSessionData(res, userId);
    // Generate the Scalekit logout URL
    const logoutUrl = scalekit.getLogoutUrl({
    idTokenHint,
    postLogoutRedirectUri
    });
    // Redirect to Scalekit to complete the logout
    res.redirect(logoutUrl);
    });

    The post logout redirect URI is the destination to which the user will be redirected after logging out. For example, take them to website landing page or a login page again. This must be registered post-logout URL in the Scalekit dashboard.

Backchannel logout enables coordinated logout across multiple applications that share the same Scalekit authentication. When a user logs out from one application, they’re automatically logged out from all connected applications for enhanced security.

Imagine your organization uses multiple applications—a project management tool, document sharing platform, and team chat application—all authenticated through Scalekit. Without backchannel logout, users must manually log out from each application individually, creating security risks if they forget to log out from some applications.

Backchannel logout solves this by automatically terminating all related sessions when logout occurs in any single application.

  1. User initiates logout

    A user logs out from one of your applications.

  2. Scalekit sends notification

    Scalekit sends a logout notification to your registered backchannel logout endpoint.

  3. Application terminates sessions

    Your application receives the notification, validates it, and terminates the user’s session from all connected applications.

This ensures that logging out from one application automatically logs the user out from all connected applications, providing a seamless and secure experience.

IdP-initiated logout Coming Soon

Section titled “IdP-initiated logout ”

For enterprise customers using SSO, an administrator might initiate logout directly from their Identity Provider’s (IdP) dashboard (e.g., Okta). Scalekit supports this flow by notifying your application to terminate the user’s session.

When this feature is available, the flow will be as follows:

  1. An IdP administrator initiates a logout.
  2. The IdP sends a logout request to Scalekit.
  3. Scalekit calls a pre-configured webhook endpoint on your application.
  4. Your application receives the request, identifies the user, and clears their session data, effectively logging them out.

Contact Support

This feature is currently available upon request. Contact our support team to have this feature enabled for your account.