Documentation

Logging Out

Clear local sessions and invalidate tokens at Radiant Auth.

Local logout (required)

  1. Delete the server-side session (and stored tokens).
  2. Clear the session cookie.
  3. Revoke refresh/access tokens at the revocation endpoint.
revoke.ts
const body = new URLSearchParams({
  token: refreshTokenOrAccessToken,
  token_type_hint: "refresh_token",
  client_id: "YOUR_CLIENT_ID",
  client_secret: "YOUR_CLIENT_SECRET",
});

await fetch("https://auth.rdnt.live/api/auth/oauth2/revoke", {
  method: "POST",
  headers: { "Content-Type": "application/x-www-form-urlencoded" },
  body,
});

RP-initiated logout (optional)

To also clear the Radiant Auth browser session, redirect to the end-session endpoint. Your client must have end-session enabled and registered post-logout redirect URIs.

end-session.ts
const url = new URL("https://auth.rdnt.live/api/auth/oauth2/end-session");
url.searchParams.set("id_token_hint", idToken);
url.searchParams.set("client_id", "YOUR_CLIENT_ID");
url.searchParams.set(
  "post_logout_redirect_uri",
  "https://your-app.example/",
);
// Redirect the browser to url.toString()
Warning
There is no GET /logout protocol endpoint. Use /api/auth/oauth2/end-session for OIDC logout, or Better Auth sign-out only for the hosted auth UI itself.
Tip
Prefer revoking the refresh token even if end-session is unavailable — that prevents silent re-use of offline access.