anti
c82897193e
POST /auth/logout adds the caller's jti to the denylist and drops the local negative-cache entry, so the token 401s on its very next use. Single-session semantics: only this token dies, other sessions for the same user keep working. Reachable for must_change_password users (it runs the revocation checks but skips the must_change gate via get_token_claims) so a session can always be ended; an already-revoked token is rejected.
3.4 KiB
3.4 KiB