Log out
Revoke the session key, optionally delete the device key.
Revoke the session key (a self-revoke signed by the session’s own Ed25519 key) and, if an
X-DEVICE-KEY is presented, delete that device key too.
The session signature both authorises the self-revoke and drives the response. Device-key deletion is best-effort: a missing/expired device key, a cross-account key, or a delete failure does not fail logout — the session revoke is the security-critical step. Already-minted WS tickets are not revoked here and remain valid until their (short) TTL.
Authentication
Body: a session-key (Ed25519) signed RevokeSession whose target is the signing session
itself. Optional X-DEVICE-KEY header naming the device key to delete.
Authorizations
Base64-encoded device-key secret issued by POST /api/v1/login.
Body
Signed write request. The JSON body is a Base64SignedPayload; its base64 payload decodes to the binary layout [Header(8) || RequestId(16) || Body || Auth] the client signs — see spec/signing.md for the byte layout, signature types, and signing procedure. The decoded Body is:
RevokeSessionwhenHeader.request_type=revoke_session(14).
JSON envelope for a signed request: the base64-encoded canonical payload plus the base64
signature and public_key of the signing credential. Session-key (Ed25519) endpoints accept
exactly these fields; master-key (Secp256k1 / Passkey) endpoints sign the same payload and may
carry additional signature material. Endpoints also accept the equivalent
application/octet-stream binary frame.
Base64-encoded bytes of the canonical request payload.
"AQABAAAAAAB4m2tQz9KvX1Yk2mN3oQ4rS5tU6vW7xZ8aB9cD0eF1gH2iJ3kL5mN7oP9qR1sT3uV5wX7yZ9a="
Base64-encoded public key of the signing credential.
"AAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh8="
Base64-encoded signature over the payload.
"AAcOFRwjKjE4P0ZNVFtiaXB3foWMk5qhqK+2vcTL0tng5+71/AMKERgfJi00O0JJUFdeZWxzeoGIj5adpKuyuQ=="