---
title: Logout (RP-initiated)
---

# Logout (RP-initiated)

End the user's session everywhere with one redirect. Implements [OIDC RP-Initiated Logout 1.0](https://openid.net/specs/openid-connect-rpinitiated-1_0.html).

## Build the URL

```
https://id.littlexlittle.org/oidc/logout
  ?id_token_hint=eyJ...               (the user's id_token, optional but recommended)
  &post_logout_redirect_uri=https://yoursite.org/  (must be pre-registered)
  &state=RANDOM
```

## What happens

1. We invalidate the LXL session cookie at `id.littlexlittle.org`.
2. We revoke all access and refresh tokens issued to **this client** for **this user**.
3. We render a brief "Signing you out..." page if `post_logout_redirect_uri` is omitted.
4. Otherwise we 302 back to your URL with `?state=...` echoed.

Other clients the user signed into are **not** automatically logged out. If you need single-logout, listen for the `account.signed_out` [webhook event](webhooks.md) and revoke local sessions yourself.

## PHP example

```php
$logoutUrl = $client->logoutUrl([
    'id_token_hint'            => $_SESSION['id_token'],
    'post_logout_redirect_uri' => 'https://yoursite.org/',
    'state'                    => bin2hex(random_bytes(8)),
]);
session_destroy();   // clear local session first
header('Location: ' . $logoutUrl);
```

## Local-only logout

If you just want to clear your own session and **stay** signed into Little X Little (so other apps still work), don't redirect to `/oidc/logout`. Just clear your cookies.

## Programmatic revocation (without UI)

Use [RFC 7009 token revocation](../reference/endpoints.md#post-oidcrevoke) instead:

```bash
curl -X POST https://id.littlexlittle.org/oidc/revoke \
  -d "token=$REFRESH_TOKEN" \
  -d "token_type_hint=refresh_token" \
  -d "client_id=YOUR_CLIENT_ID"
```

This returns `200` with no body (per spec) and revokes the entire chain.