Sign-out

Sign-out in Logto (as an OIDC identity provider) involves both:

A centralized Logto session (browser cookie under Logto domain), and
Distributed client-side auth state (tokens and local app session in each app).

To understand sign-out behavior, it helps to separate these two layers and then see how grants connect them.

Core concepts

What is a Logto session?

A Logto session is the centralized sign-in state managed by Logto. It is created after successful authentication and represented by cookies under the Logto domain.

If the session cookie is valid, the user can be silently authenticated (SSO) across multiple apps that trust the same Logto tenant.

If no valid session exists, Logto shows the sign-in page.

What are grants?

A grant represents the authorization status for a specific user + client application combination.

One Logto session can have grants for multiple client apps.
A grant is what issued tokens are associated with.
In this doc set, use grant as the cross-app authorization unit.

How session, grants, and client auth status relate

Logto session controls centralized SSO experience.
Client local session/tokens control whether each app currently treats user as signed in.
Grants connect these two worlds by representing app-specific authorization state.

Session topology across apps/devices

If a user signs in to multiple apps from the same browser, those apps can reuse the same Logto session cookie and SSO behavior applies.

Isolated session cookies (different devices/browsers)

Different browsers/devices hold different Logto cookies, so sign-in session state is isolated.

Sign-out mechanisms

1) Client-side-only sign-out

Client app clears its own local session and tokens (ID/access/refresh tokens). This signs user out from that app's local state only.

Logto session may still be active.
Other apps under same Logto session may still SSO.

2) End-session at Logto (global sign-out in current Logto implementation)

To clear centralized Logto session, app redirects user to the end session endpoint, for example:

https://{your-logto-domain}/oidc/session/end

In current Logto SDK behavior:

signOut() redirects to /session/end.
Then it goes to /session/end/confirm.
Default confirm form auto-posts logout=true.

As a result, current SDK sign-out is treated as global sign-out.

What happens during global sign-out

During global sign-out:

The centralized Logto session is revoked.
Related app grants are handled per app authorization state:
- If offline_access is not granted, related grants are revoked.
- If offline_access is granted, grants are not revoked by end-session.
For offline_access cases, refresh tokens and grants remain valid until grant expiration.

Grant lifetime and `offline_access` impact

Default Logto grant TTL is 180 days.
If offline_access is granted, end-session does not revoke that app grant by default.
Refresh token chain associated with that grant can continue until the grant expires (or is explicitly revoked).

Federated sign-out: back-channel logout

For cross-app consistency, Logto supports back-channel logout.

When a user signs out from one app, Logto can notify all apps participating in the same session by sending a logout token to each app's registered back-channel logout URI.

If Is session required is enabled in app back-channel settings, the logout token includes sid to identify the Logto session.

Typical flow:

User initiates sign-out from one app.
Logto processes end-session and sends logout token(s) to registered back-channel logout URI(s).
Each app validates logout token and clears its own local session/tokens.

Sign-out methods in Logto SDKs

SPA and web: client.signOut() clears local token storage and redirects to Logto end-session endpoint. You may provide a post-logout redirect URI.
Native (including React Native / Flutter): usually clears local token storage only. Sessionless webview means no persistent Logto browser cookie to clear.

note:

For native applications that does not support sessionless webview or does not recognize the emphasized settings(Android app using React Native or Flutter SDK), you may force the user prompt to sign in again by passing the prompt=login parameter in the authorization request.

Enforce re-authentication on every access

For high-security actions, include prompt=login in auth requests to bypass SSO and force credential entry each time.

If requesting offline_access (to receive refresh tokens), also include consent, prompt=login consent.

Typical combined setting:

prompt=login consent

FAQs

I'm not receiving the back-channel logout notifications.

Ensure back-channel logout URI is correctly registered in Logto dashboard.
Ensure your app has an active sign-in state for the same user/session context.

Understanding OIDC back-channel logout.

Core concepts​

What is a Logto session?​

What are grants?​

How session, grants, and client auth status relate​

Sign-in recap (why sign-out is multi-layered)​

Session topology across apps/devices​

Shared session cookie (same browser/user agent)​

Isolated session cookies (different devices/browsers)​

Sign-out mechanisms​

1) Client-side-only sign-out​

2) End-session at Logto (global sign-out in current Logto implementation)​

What happens during global sign-out​

Grant lifetime and offline_access impact​

Federated sign-out: back-channel logout​

Sign-out methods in Logto SDKs​

Enforce re-authentication on every access​

FAQs​

I'm not receiving the back-channel logout notifications.​

Related resources​