Documentation
Logging Out
Clear local sessions and invalidate tokens at Radiant Auth.
Local logout (required)
- Delete the server-side session (and stored tokens).
- Clear the session cookie.
- Revoke refresh/access tokens at the revocation endpoint.
revoke.ts
const body = new URLSearchParams({
token: refreshTokenOrAccessToken,
token_type_hint: "refresh_token",
client_id: "YOUR_CLIENT_ID",
client_secret: "YOUR_CLIENT_SECRET",
});
await fetch("https://auth.rdnt.live/api/auth/oauth2/revoke", {
method: "POST",
headers: { "Content-Type": "application/x-www-form-urlencoded" },
body,
});RP-initiated logout (optional)
To also clear the Radiant Auth browser session, redirect to the end-session endpoint. Your client must have end-session enabled and registered post-logout redirect URIs.
end-session.ts
const url = new URL("https://auth.rdnt.live/api/auth/oauth2/end-session");
url.searchParams.set("id_token_hint", idToken);
url.searchParams.set("client_id", "YOUR_CLIENT_ID");
url.searchParams.set(
"post_logout_redirect_uri",
"https://your-app.example/",
);
// Redirect the browser to url.toString()Warning
There is no
GET /logout protocol endpoint. Use /api/auth/oauth2/end-session for OIDC logout, or Better Auth sign-out only for the hosted auth UI itself.Tip
Prefer revoking the refresh token even if end-session is unavailable — that prevents silent re-use of offline access.