Logs out an authenticated user by invalidating their session and optionally blacklisting their JWT access token.

Description

The logout service:

Ends the current user session via the session service.
If the session ID is not provided via header, it will be extracted from the Bearer token claims (if available)
Generates a new guest token for the user and returns it in the response.

Headers:

Authorization (string, required if blacklisting is enabled): Bearer token to be blacklisted.
Session-Id (string, optional): Session ID to invalidate. If not provided, it will be extracted from the token (if possible).

Response

200 OK
json:
{
  "token": "<guest_token>"
}

Error Responses:

📘
The server response depends on context the values injected by the authentication middleware: userId, merchant