File length: 10772
# Post Authentication - Session Management -  Session invalidation
Source: https://supertokens.com/docs/post-authentication/session-management/session-invalidation

## Overview

You can invalidate a session in **SuperTokens** in different ways.
The main recommendation is to use the `signOut` function from the frontend SDK.
Besides that you can also revoke sessions manually, through the backend SDKs.
This guide shows you how to implement each of these.

## Before you start



---

## User sign out

The frontend SDK exposes a `signOut` function that revokes the session for the user.
You need to add your own UI element for this since the library does not expose any components.
The `signOut` function calls the sign out API exposed by the session recipe on the backend and, in turn, revokes all the user active sessions.
If you call the `signOut` function whilst the access token has expired, but the refresh token still exists, the SDKs automatically perform a session refresh before revoking the session.

:::important
You have to add your own redirection logic after the sign out call completes.
:::



<PrebuiltUIInstructions>

<Tabs>
<Tab value="reactjs">

```tsx
// highlight-next-line

function NavBar() {
  async function onLogout() {
    // highlight-next-line
    await signOut();
    window.location.href = "/auth"; // or redirect to wherever the login page is
  }
  return (
    <ul>
      <li>Home</li>
          // highlight-next-line
      <li onClick={onLogout}>Logout</li>

    </ul>
  )
}
```
</Tab>

<Tab value="angular">

```tsx
// highlight-next-line

async function logout () {
  // highlight-next-line
  await Session.signOut(); 
  window.location.href = "/auth"; // or redirect to wherever the login page is
}
```

</Tab>

</Tabs>

</PrebuiltUIInstructions>

<CustomUIInstructions>

<Tabs>
<Tab value="web">

<Tabs>
<Tab value="npm">

```tsx

async function logout () {
  // highlight-next-line
  await Session.signOut(); 
  window.location.href = "/auth"; // or redirect to wherever the login page is
}
```

</Tab>
<Tab value="scripts">

```tsx
async function logout () {
  // highlight-next-line
  await supertokensSession.signOut(); 
  window.location.href = "/auth"; // or redirect to wherever the login page is
}
```

</Tab>
</Tabs>

</Tab>

<Tab value="mobile">

<Tabs>

<Tab value="reactnative">

```tsx

async function logout () {
  // highlight-next-line
  await SuperTokens.signOut(); 
  // navigate to the login screen..
}
```

</Tab>

<Tab value="android">

```kotlin
        // navigate to the login screen..
    }
}
```

</Tab>

<Tab value="ios">

```swift

Future<void> signOut() async {
    await SuperTokens.signOut(
      completionHandler: (error) => {
        // Handle error if any
      }
    );
}
```

</Tab>

</Tabs>

</Tab>

</Tabs>

</CustomUIInstructions>

### Expose a backend sign out method

If you do not want to use the frontend function you can expose a backend sign out method.

<Tabs>
<Tab value="nodejs">

<Tabs>
<Tab value="express">

```tsx

let app = express();

// highlight-start
app.post("/someapi", verifySession(), async (req: SessionRequest, res) => {

    // This will delete the session from the db and from the frontend (cookies)
    await req.session!.revokeSession();
    // highlight-end

    res.send("Success! User session revoked");
});
```
</Tab>
<Tab value="hapi">

```tsx

let server = Hapi.server({ port: 8000 });

server.route({
    path: "/someapi",
    method: "post",
    //highlight-start
    options: {
        pre: [
            {
                method: verifySession()
            },
        ],
    },
    handler: async (req: SessionRequest, res) => {
        // This will delete the session from the db and from the frontend (cookies)
        await req.session!.revokeSession();
        // highlight-end
        return res.response("Success! User session revoked").code(200);
    }
})
```
</Tab>
<Tab value="fastify">

```tsx

let fastify = Fastify();

//highlight-start
fastify.post("/someapi", {
    preHandler: verifySession(),
}, async (req: SessionRequest, res) => {
    // This will delete the session from the db and from the frontend (cookies)
    await req.session!.revokeSession();
    // highlight-end

    res.send("Success! User session revoked");
});
```

</Tab>
<Tab value="awsLambda">

```tsx

// highlight-start
async function someapi(awsEvent: SessionEvent) {
    // This will delete the session from the db and from the frontend (cookies)
    await awsEvent.session!.revokeSession();
    // highlight-end

    return {
        body: JSON.stringify({ message: "Success! User session revoked" }),
        statusCode: 200,
    };
};

exports.handler = verifySession(someapi);
```

</Tab>
<Tab value="koa">

```tsx

let router = new KoaRouter();

//highlight-start
router.post("/someapi", verifySession(), async (ctx: SessionContext, next) => {
    // This will delete the session from the db and from the frontend (cookies)
    await ctx.session!.revokeSession();
    // highlight-end

    ctx.body = "Success! User session revoked";
});
```

</Tab>
<Tab value="loopback">

```tsx

class Logout {
    //highlight-start
    constructor(@inject(RestBindings.Http.CONTEXT) private ctx: SessionContext) { }
    @post("/someapi")
    @intercept(verifySession())
    @response(200)
    async handler() {
        // This will delete the session from the db and from the frontend (cookies)
        await this.ctx.session!.revokeSession();
        // highlight-end

        return "Success! User session revoked";
    }
}
```

</Tab>
<Tab value="nextjs">

<Tabs.HeaderCustomActions>
  <NextjsRouterTypeSelect />
</Tabs.HeaderCustomActions>

<ConditionalContent propertyName="nextjsRouterType" condition="pages-router">

```tsx

// highlight-start
export default async function someapi(req: SessionRequest, res: any) {
    await superTokensNextWrapper(
        async (next) => {
            // highlight-next-line
            await verifySession()(req, res, next);
        },
        req,
        res
    )
    // This will delete the session from the db and from the frontend (cookies)
    await req.session!.revokeSession();
    // highlight-end
    res.send("Success! User session revoked");
}
```

</ConditionalContent>

<ConditionalContent propertyName="nextjsRouterType" condition="app-router">

```tsx
// @ts-ignore

SuperTokens.init(backendConfig());

export function POST(request: NextRequest) {
    return withSession(request, async (err, session) => {
        if (err) {
            return NextResponse.json(err, { status: 500 });
        }
        // This will delete the session from the db and from the frontend (cookies)
        await session!.revokeSession();
        return NextResponse.json({ message: "Success! User session revoked" });
    });
}
```

</ConditionalContent>

</Tab>

<Tab value="nestjs">

```ts
// @ts-ignore

@Controller()
export class ExampleController {
  // For more information about "AuthGuard" and the "Session" decorator please read our NestJS guide.
  @Post('someapi')
  @UseGuards(new AuthGuard())
  async postSomeAPI(@Session() session: SessionContainer): Promise<string> {
    await session.revokeSession();

    return "Success! User session revoked";
  }
}
```
</Tab>
</Tabs>
</Tab>
<Tab value="go">

```go
	err := sessionContainer.RevokeSession()
	if err != nil {
		err = supertokens.ErrorHandler(err, r, w)
		if err != nil {
			// TODO: Send 500 status code to client
		}
		return
	}

	// TODO: Send 200 response to client
}
```

</Tab>
<Tab value="python">

<Tabs>
<Tab value="fastapi">

```python
from supertokens_python.recipe.session.framework.fastapi import verify_session
from supertokens_python.recipe.session import SessionContainer
from fastapi import Depends
from fastapi.responses import PlainTextResponse

# highlight-start
async def some_api(session: SessionContainer = Depends(verify_session())):
    await session.revoke_session() # This will delete the session from the db and from the frontend (cookies)
    # highlight-end
    return PlainTextResponse(content='success')
```

</Tab>
<Tab value="flask">

```python
from supertokens_python.recipe.session.framework.flask import verify_session
from supertokens_python.recipe.session import SessionContainer
from flask import g

# highlight-start
@app.route('/some_api', methods=['POST']) # type: ignore
@verify_session()
def some_api():
    session: SessionContainer = g.supertokens # type: ignore

    session.sync_revoke_session() # This will delete the session from the db and from the frontend (cookies)
    # highlight-end
    return 'success'
```

</Tab>
<Tab value="django">

```python
from typing import cast

from django.http import HttpRequest

from supertokens_python.recipe.session import SessionContainer
from supertokens_python.recipe.session.framework.django.asyncio import verify_session

# highlight-start
@verify_session()
async def some_api(request: HttpRequest):
    session: SessionContainer = cast(SessionContainer, request.supertokens) # type: ignore This will delete the session from the db and from the frontend (cookies)
    # highlight-end
    await session.revoke_session()
```

</Tab>
</Tabs>

</Tab>
</Tabs>

:::info Tip

If you are using the pre-built UI, and the `<SessionAuth>` component set custom post log out logic with the `onSessionExpired` prop. 
The handler gets called if:
- The backend has revoked the session, but not the frontend.
- The user has been inactive for too long and their refresh token has expired.

```tsx
// @ts-ignore

const App = () => {
    return (
        <SessionAuth
            onSessionExpired={() => {/* ... */ }}>
            <MyComponent />
        </SessionAuth>
    );
}
```
:::

---

## Direct session invalidation

To invalidate a session without relying on the intervention of a user you can create your own custom methods using the backend SDKs.

:::caution
This method of revoking a session only deletes the session from the database and not from the frontend.
This implies that the user can still access protected endpoints while their access token is alive.
If you want to instantly logout the user in this mode, you should [enable access token blacklisting](/docs/post-authentication/session-management/advanced-workflows/access-token-blacklisting).
:::

### Revoke a specific session

<Tabs>
<Tab value="nodejs">

```tsx

async function revokeSession(sessionHandle: string) {
    let revoked = await Session.revokeSession(sessionHandle);
};
```
</Tab>
<Tab value="go">

```go

let app = express();

app.use("/revoke-all-user-sessions", async (req, res) => {

    let userId = req.body.userId
    // highlight-next-line
    await Session.revokeAllSessionsForUser(userId);

    res.send("Success! All user sessions have been revoked");
});
```
</Tab>
<Tab value="go">

```go