--- title: OIDC logout returns 404 for GLOBAL apps path: troubleshooting/oidc-logout-for-global-apps status: published --- # OIDC logout returns 404 for GLOBAL apps ## Symptom A `GLOBAL`-scoped application tries to log a user out via something like: ``` https://scaikey.scailabs.ai/oidc/logout?post_logout_redirect_uri=...&client_id=... ``` The browser sees a 404. The user stays signed in. ## Cause There is no `/oidc/logout` route in ScaiKey. The URL was a guess; nothing serves it. Real OIDC logout (RP-initiated end_session) endpoints in ScaiKey are: - **Tenant-scoped:** `/api/v1/auth/tenants/{slug}/oauth/logout` - **Platform (for GLOBAL apps):** `/api/v1/platform/oauth/logout` A `GLOBAL` application doesn't have a tenant slug to put in the URL, which is why the tenant variant isn't usable — that's the right intuition. The fix is to use the platform variant, which resolves the user's tenant via the SSO session cookie instead of from the URL. ## Fix Send users to: ``` $SCAIKEY/api/v1/platform/oauth/logout?post_logout_redirect_uri=https%3A%2F%2Fyourapp.example%2Flogin&client_id= ``` Query parameters: | Parameter | Required | Notes | |---|---|---| | `post_logout_redirect_uri` | recommended | Where to send the user after logout. Should be registered in the app's `logout_uris` | | `id_token_hint` | optional | The user's last ID token; helps ScaiKey identify the session if the cookie was lost | | `state` | optional | Echoed back in the redirect for CSRF | | `client_id` | optional | Your `client_id` — informational | The endpoint: 1. Reads the SSO session cookie. 2. Terminates the session (sets `terminated_at`, `terminated_reason=user_logout`). 3. Clears the SSO cookie. 4. Redirects to `post_logout_redirect_uri` if provided, otherwise to the default ScaiKey "signed out" page. ## Discovery The platform `.well-known/openid-configuration` document includes `end_session_endpoint` pointing at the platform logout URL — modern OIDC libraries read this automatically when configured against the platform discovery URL. If your OIDC library is reading discovery, you shouldn't need to hardcode anything. ## Auth UI behavior If you hit `$SCAIKEY/auth/logout?post_logout_redirect_uri=...` directly (the user-facing logout page rather than the OIDC endpoint), the page clears local browser state and then bounces to `post_logout_redirect_uri`. This works for `GLOBAL` apps too — it's a fine fallback if you want to control the visible "signing out…" message before redirect. Note it's a frontend page, not an OIDC end_session endpoint, so it doesn't appear in discovery. ## Related - [Reference → OAuth endpoints → End_session](/docs/scaikey/reference/oauth-endpoints#end_session-endpoint-rp-initiated-logout) - [Concepts → OAuth and OIDC](/docs/scaikey/concepts/oauth-and-oidc)