Qeet Docs
OIDC / OAuth provider

RP-initiated logout

End the IdP session with OIDC RP-initiated logout — id_token_hint plus a post-logout redirect.

When a user signs out of a relying party (RP), you often want to end their session at the identity provider too, so the next visit re-authenticates. Qeet ID implements OIDC RP-initiated logout (end_session).

GET/v1/oauth/logoutEnd session (RP-initiated logout)
Text
GET /v1/oauth/logout
  ?id_token_hint=<the user's id_token>
  &post_logout_redirect_uri=https://app.acme.com
  &state=<csrf>

Qeet ID validates the id_token_hint, clears the hosted-login SSO session, and redirects to post_logout_redirect_uri (which must be registered on the client as a post-logout URI). A POST form-binding variant is also available.

Next.js handles it

Linking to /api/auth/logout with @qeetid/nextjs clears the local encrypted cookie and triggers RP-initiated logout at Qeet ID.

To revoke a specific token without a full IdP logout, use RFC 7009 revocation. To revoke a backend user session directly, see Sessions.

Machine-to-machine

OAuth client_credentials for service principals — token-endpoint auth, scopes, and lifecycle.

Enterprise

Full B2B federation — SAML 2.0 as both Service Provider and Identity Provider, SCIM 2.0 Users + Groups, and LDAP — open-source, no SSO tax.