BIO.RE
Authentication

Logout

Revoke the current refresh token and invalidate the session. Refresh cookie is cleared.

POST /api/v1/auth/logout โ€” ๐ŸŒ Public ยท Rate limit: 60 req / hour

Revokes the user's refresh token (from biore_refresh httpOnly cookie or body.refreshToken) and clears the cookie. Always returns success even if no token is present (idempotent).

This endpoint marks the Session row revoked. The user's access token (JWT) remains valid until expiry (~15 minutes) โ€” to truly kill access immediately, also invalidate it client-side and rely on the short access TTL.

Request

Cookies

CookieNotes
biore_refreshhttpOnly cookie, automatically sent. Cleared in response.

Body โ€” LogoutDto (cookie fallback only)

FieldTypeRequiredValidationNotes
refreshTokenstringโ€”@IsOptional() @IsString()Used only when no cookie (mobile / non-web client)

Response

200 OK โ€” ApiResponseOf<MessageResponseDto>

{ "success": true, "data": { "message": "Logged out successfully" } }

The biore_refresh cookie is set with Max-Age=0 (cleared).

Errors

HTTPcode / i18nKeyReason
429(throttle)Rate limit exceeded (60 req/hour)

Side effects

  1. Mark Session.revokedAt = now() for the matching refresh token (if present).
  2. Clear biore_refresh cookie via Set-Cookie with Max-Age=0.
  3. Audit log: auth.logout.success.

Code samples

curl -X POST https://api.bio.re/api/v1/auth/logout \
  -b cookies.txt -c cookies.txt
async function logout(): Promise<void> {
  await fetch('https://api.bio.re/api/v1/auth/logout', {
    method: 'POST',
    credentials: 'include',
  });
}
import { useMutation, useQueryClient } from '@tanstack/react-query';

export function useLogout() {
  const qc = useQueryClient();
  return useMutation({
    mutationFn: async () => {
      await fetch('/api/v1/auth/logout', {
        method: 'POST',
        credentials: 'include',
      });
    },
    onSettled: () => {
      qc.clear();
      router.push('/login');
    },
  });
}

Try it

POST
/api/v1/auth/logout

Request Body

application/json

TypeScript Definitions

Use the request body type in TypeScript.

refreshToken?string

Refresh token (optional โ€” prefer httpOnly cookie)

Response Body

application/json

curl -X POST "https://loading/api/v1/auth/logout" \  -H "Content-Type: application/json" \  -d '{}'
{
  "success": true,
  "data": {
    "message": "Operation completed successfully"
  }
}

Source

SourcePathLines
Controllerapps/api-core/src/modules/auth/auth.controller.ts188โ€“202
DTO (request)apps/api-core/src/modules/auth/dto/index.ts103โ€“106 (LogoutDto)
Serviceapps/api-core/src/modules/auth/auth.service.tslogout()
Prisma modelpackages/prisma/prisma/schema.prismaSession.revokedAt

Refresh Access Token

Exchange a refresh token (from cookie or body) for a new access + refresh JWT pair. Token rotation enforced.

Forgot Password

Request a password reset email. Anti-enumeration โ€” always returns success regardless of account existence.

On this page

RequestCookiesBody โ€” LogoutDto (cookie fallback only)Response200 OK โ€” ApiResponseOf<MessageResponseDto>ErrorsSide effectsCode samplesTry itSource