Logout

Endpoint: /action/logout

Terminates the currently active WalletTwo user session and notifies the host page. Use this action when your application needs to trigger a WalletTwo sign-out as part of your own sign-out flow — for example, when the user logs out of your platform and you want to clean up the embedded wallet session at the same time.

Required user state

Check

Middleware

Redirects to if missing

User is logged in

LoggedMiddleware

/auth/login

Email is verified

EmailVerifiedMiddleware

/auth/email/verify

Wallet is created

WalletMiddleware

/auth/wallet/register

Iframe URL

https://<WALLETTWO_ORIGIN>/action/logout?iframe=true

Optional parameters:

Param

Required

Type

Description

redirect_uri

string (absolute URL)

If provided, the iframe navigates here after logout completes

iframe

Yes (for embedding)

"true"

Activates bare rendering mode

Full example:

https://<WALLETTWO_ORIGIN>/action/logout?iframe=true&redirect_uri=https%3A%2F%2Fexample.com%2Fsigned-out

What happens when the action runs

On mount, logout() is called immediately (no user confirmation prompt).
Regardless of whether logout succeeds or fails, window.parent.postMessage(...) is fired.
If redirect_uri is present, the iframe navigates to that URL.
While waiting, a centered loading spinner is shown.

The logout always completes silently from the user's perspective. Errors are logged to the browser console only.

postMessage event

Fired to window.parent after the logout attempt finishes (whether it succeeded or failed):

{
  event: "wallet_logout",
  type: "wallet_logout"
}

Field

Description

event

Always "wallet_logout"

type

Always "wallet_logout" (legacy alias, same value)

There is no success/failure distinction in the event. If your application needs to confirm the logout actually succeeded, use the redirect_uri path together with a server-side session check.

redirect_uri callback

The iframe navigates to redirect_uri with no additional query params appended:

https://example.com/signed-out

Host page integration

Option A: postMessage only

<iframe
  id="w2-logout"
  src="https://<WALLETTWO_ORIGIN>/action/logout?iframe=true"
  style="width:1px;height:1px;border:0;visibility:hidden;"
></iframe>

<script>
  const WALLET_TWO_ORIGIN = "https://<WALLETTWO_ORIGIN>";

  window.addEventListener("message", (event) => {
    if (event.origin !== WALLET_TWO_ORIGIN) return;

    if (event.data?.event === "wallet_logout") {
      // Session is cleared, clean up your own state
      clearLocalSession();
      window.location.href = "/signed-out";
    }
  });
</script>

Option B: redirect_uri

If you prefer not to use postMessage, pass a redirect_uri to your own page and handle the arrival there:

/action/logout?iframe=true&redirect_uri=https%3A%2F%2Fexample.com%2Flogout-complete

When the iframe lands on https://example.com/logout-complete, your server can clear the session cookie and redirect the top-level page as needed.

Triggering logout programmatically from the parent page

You can create the logout iframe dynamically when a user signs out of your platform, without keeping it in the DOM at all times:

function triggerWalletTwoLogout() {
  return new Promise((resolve) => {
    const WALLET_TWO_ORIGIN = "https://<WALLETTWO_ORIGIN>";

    const iframe = document.createElement("iframe");
    iframe.style.display = "none";
    iframe.src = `${WALLET_TWO_ORIGIN}/action/logout?iframe=true`;
    document.body.appendChild(iframe);

    const timeout = setTimeout(() => {
      cleanup();
      resolve(); // Proceed even if no event arrives
    }, 5000);

    function onMessage(event) {
      if (event.origin !== WALLET_TWO_ORIGIN) return;
      if (event.data?.event !== "wallet_logout") return;
      cleanup();
      resolve();
    }

    function cleanup() {
      clearTimeout(timeout);
      window.removeEventListener("message", onMessage);
      document.body.removeChild(iframe);
    }

    window.addEventListener("message", onMessage);
  });
}

Notes

The action logs out the user immediately on mount without any confirmation step. Do not navigate to this route unless you intend to end the session.
Logout errors are swallowed silently in the UI. Even if the server-side logout call fails, the wallet_logout event is still fired.
After logout, if the user navigates to any /action/* or /wallet/* route, they will be redirected to /auth/login by LoggedMiddleware.

PreviousAuth NextSignature

Last updated 9 days ago

hashtagRequired user state

hashtagIframe URL

hashtagWhat happens when the action runs

hashtagpostMessage event

hashtagredirect_uri callback

hashtagHost page integration

hashtagOption A: postMessage only

hashtagOption B: redirect_uri

hashtagTriggering logout programmatically from the parent page

hashtagNotes