Skip to main content

Logout

POST/api/v1/users/auth/logout

Revokes the entire refresh-token family that the supplied refresh token belongs to. All currently-active sibling tokens within that family are simultaneously revoked.

cv-api-key + refresh_token (body)
Productionhttps://api.care360-next.carevalidate.com/api/v1/users/auth/logout
Staginghttps://api-staging.care360-next.carevalidate.com/api/v1/users/auth/logout
note

This endpoint always returns 200 OK when authenticated against a valid organization, even if the supplied refresh token is unknown or already revoked. It does not leak whether the token was valid.

Headers

Headers
cv-api-keystringrequired

Your unique API key for authentication.

Content-Typestringrequired

Must be application/json.

Request Body

Body
refresh_tokenstringrequired

The opaque refresh token whose family should be revoked.

Behavior

  1. Resolves the organization from cv-api-key.
  2. SHA3-512-hashes the supplied refresh token and looks up the row.
  3. If found, revokes the entire family by familyId — every active sibling token is invalidated in one operation.
  4. If not found, returns success silently.

Example Request

curl -X POST '<BASE_URL>/api/v1/users/auth/logout' \
-H 'cv-api-key: <redacted>' \
-H 'Content-Type: application/json' \
-d '{
  "refresh_token": "<opaque-refresh-token>"
}'

Responses

200SuccessFamily revoked, or token unknown (returned identically to avoid leaking validity).
{
  "status": 200,
  "success": true
}
400Validation errorcv-api-key missing or body fails Zod (refresh_token empty).
{
  "status": 400,
  "success": false,
  "error": "Validation failed",
  "code": "VALIDATION_ERROR"
}
404Organization not foundcv-api-key does not resolve to a partner organization.
{
  "status": 404,
  "success": false,
  "error": "Organization not found",
  "code": "NOT_FOUND"
}

Try It Out