The Logout-Endpoint logs the user out of the WSC.


The URL is or

Request Format

The following parameters are optional:

Name Description
post_logout_redirect_uri The URL where the user should be redirected to after Logout. Most match with the Redirect-URIs of the Client.
id_token_hint Recommended. An JWT Token, which is used to terminate all existing sessions with the Client.
state a custom state from your application. Please see next chapter for using this param for security purposes

State and Security

The state param can be used to prevent CSRF and Clickjacking vulnerabilities. state is sent in the authorization request and returned back in the response and should be a value that binds the user’s request to their authenticated state. For example, state could be a hash of the user’s session cookie, or some other nonce that can be linked to the user’s session. When a user begins an authorization flow on the client, a state is generated that is unique to that user’s request. This value is stored somewhere only accessible to the client and the user, i.e. protected by the same-origin policy. When the user is redirected, the state parameter is returned. The client validates the request by checking that the state returned matches the stored value. If they match, it is a valid authorization request. If they do not match, it’s possible that someone intercepted the request or otherwise falsely authorized themselves to another user’s resources, and the request should be denied. While the use of the state parameter is not required, it is highly recommend that you implement it for the security of your own applications and data.

Example Request

Response Format

The user will be redirected to the given post_logout_redirect_uri. The state will be included, if given at the request.