Storyden
Auth

Auth Provider Logout

Performs a HTTP logout by clearing the session cookie and redirecting to to the requested path at the frontend's `WEB_ADDRESS`. Typically this may be a secondary logout route on the frontend implementation that can handle any frontend-specific logout tasks. This is necessary in cases where the frontend is running on a different origin to the API service such as api.site.com vs site.com because Clear-Site-Data and other headers are same-origin compliant and won't work cross-origin.

POST/auth/logout

Performs a HTTP logout by clearing the session cookie and redirecting to to the requested path at the frontend's WEB_ADDRESS. Typically this may be a secondary logout route on the frontend implementation that can handle any frontend-specific logout tasks. This is necessary in cases where the frontend is running on a different origin to the API service such as api.site.com vs site.com because Clear-Site-Data and other headers are same-origin compliant and won't work cross-origin.

Authorization

browser
storyden-session<token>

In: cookie

Query Parameters

redirect?string

Path relative to the WEB_ADDRESS to redirect to. Note that this is a path only and not a full URL to prevent cross-origin or cross-site redirects. If not provided, redirects to WEB_ADDRESS index page.

Response Body

curl -X POST "https://example.com/auth/logout"
Empty
Edit on GitHub

Auth Provider List GET

Retrieve a list of authentication providers. Storyden supports a few ways to authenticate, from simple passwords to OAuth and WebAuthn. This endpoint tells a client which auth capabilities are enabled.

O Auth Authorise GET

Start the browser-based OAuth 2.0 Authorization Code flow with PKCE. This endpoint requires a browser session. If the account is not signed in, Storyden redirects to the frontend login route instead of returning a protocol redirect to the client application. Unlike many OAuth servers, Storyden does not render a consent page from this API endpoint. A valid request creates a short-lived pending authorisation request and redirects the browser to the configured frontend authorisation-code consent URL. Custom frontends can change this URL with `OAUTH_AUTHORISATION_CODE_CONSENT_URL`. The `scope` parameter follows OAuth 2.0 and is optional. Empty or omitted scope means no requested scopes. Storyden permission scopes are granted only when allowed by the client and by the signed-in account's current permissions.