[Bug?] End Session Endpoint

Hello, I just notice that end session endpoint only revoke access tokens created from the browser but the refresh token still works. Is it normal ??

Ask Inkeep•12/10/25, 7:50 AM

Hi @Angel, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question.

Ask Inkeep•12/10/25, 7:51 AM

Answer

Yes, this is expected behavior. Ending a session via the /oidc/v1/end_session/oidc/v1/end_session endpoint only invalidates access tokens—it does not automatically revoke refresh tokens. questions-help-bugsOAuth token revocation

To revoke refresh tokens, you need to explicitly call the revocation endpoint: (2) , questions-help-bugsOAuth token revocation

{your_domain}/oauth/v2/revoke

{your_domain}/oauth/v2/revoke

(2)

This endpoint allows you to revoke both access tokens and refresh tokens by passing the token you want to revoke.

Ask Inkeep•12/10/25, 7:51 AM

To learn more, see the sources I considered:

questions-help-bugsOAuth token revocation
[2] OpenID Connect Endpoints in ZITADEL

Ask Inkeep•12/10/25, 7:51 AM

Feel free to tag @Ask Inkeep with additional questions.

AngelOP•12/10/25, 7:55 AM

@Ask Inkeep Then how do I specifically revoke all token emited by the browser than called end session ?

Ask Inkeep•12/10/25, 7:55 AM

Thanks for the follow-up, @Angel. I'll get back to you soon.

Ask Inkeep•12/10/25, 7:55 AM

Answer

To revoke all tokens when a user logs out from the browser, you have a couple of options:

Option 1: Revoke All Refresh Tokens for the User

You can call the endpoint to revoke all refresh tokens for the authenticated user: (1)

POST <https://$CUSTOM-DOMAIN/auth/v1/users/me/tokens/refresh/_revoke_all>

POST <https://$CUSTOM-DOMAIN/auth/v1/users/me/tokens/refresh/_revoke_all>

This will revoke all refresh tokens belonging to that user.

Option 2: Explicitly Revoke the Refresh Token

Before or after calling /oidc/v1/end_session/oidc/v1/end_session, you can call the revocation endpoint to revoke the specific refresh token: (2) , (3)

POST {your_domain}/oauth/v2/revoke

POST {your_domain}/oauth/v2/revoke

The request body must be x-www-form-urlencodedx-www-form-urlencoded with: (2)

```
token
```
```
token
```
: the refresh token to revoke
```
client_id
```
```
client_id
```
: your application's client_id
Additional parameters depending on your authentication method (client_secret, PKCE, or client_assertion) (3)

Important: When you revoke a refresh token, the corresponding access token will also be revoked. However, revoking only an access token does not revoke the refresh token.

So the recommended approach is to call the revocation endpoint with the refresh token before ending the session, or use the "revoke all refresh tokens" endpoint if you want to invalidate all of them.

Ask Inkeep•12/10/25, 7:55 AM

To learn more, see the sources I considered:

[1] Revoke All Refresh Tokens
[2] How to revoke an Access Token/Refresh Token
[3] OpenID Connect Endpoints in ZITADEL

Ask Inkeep•12/10/25, 7:55 AM

Feel free to tag @Ask Inkeep with additional questions.

AngelOP•12/10/25, 8:04 AM

@Ask Inkeep Then how do I make sure when the user log out, his refresh tokens dont work anymore

Ask Inkeep•12/10/25, 8:04 AM

Thanks for the follow-up, @Angel. I'll get back to you soon.

Ask Inkeep•12/10/25, 8:04 AM

Answer

To ensure refresh tokens are invalidated when a user logs out, you need to explicitly revoke them using the revocation endpoint as part of your logout flow. (1)

Use the revocation endpoint to revoke the refresh token:

POST ${CUSTOM_DOMAIN}/oauth/v2/revoke

POST ${CUSTOM_DOMAIN}/oauth/v2/revoke

Pass the

token

token

parameter with the refresh token value.

Key behavior: When you revoke a refresh_tokenrefresh_token, the corresponding

access_token

access_token

will also be revoked.

Depending on your authentication method, you'll need to include additional parameters:

client_secret_basic: Send
```
client_id
```
```
client_id
```
and
```
client_secret
```
```
client_secret
```
as Basic Auth Header

client_secret_post: Send

client_id

client_id

and

client_secret

client_secret

in the body

PKCE (none) : Send
```
client_id
```
```
client_id
```
in the body
private_key_jwt: Send client_assertionclient_assertion and client_assertion_typeclient_assertion_type

Recommended approach: In your logout flow, call the revocation endpoint with the refresh token before redirecting to the end_session_endpointend_session_endpoint. This ensures all tokens are invalidated when the user logs out.

Ask Inkeep•12/10/25, 8:05 AM

To learn more, see the sources I considered:

[1] OpenID Connect Endpoints in ZITADEL

Ask Inkeep•12/10/25, 8:05 AM

Feel free to tag @Ask Inkeep with additional questions.

AAsk Inkeep To learn more, see the sources I considered: [[1] OpenID Connect Endpoints in...

Ask InkeepAPP•12/10/25, 8:08 AM

Glad I could be helpful. Feel free to create a new thread with any new questions you may have.