Is there a reason the Hydra getOAuth2LogoutRequest and acceptOAuth2LogoutRequest are admin-level APIs? We're having trouble understanding where we can call these APIs safely from an SPA (Consent UI??). Is the idea that these apis should be called from a backend?

Yes these APIs must be called from a secure backend only.

@refined-kangaroo-48640 Thanks for clarifying. I see that in the selfservice-ui example they seem to be in the frontend though? https://github.com/ory/kratos-selfservice-ui-node/blob/647f272b847790287ee96175b6b6145eb6b2ff0b/src/routes/logout.ts#L28 Or is that code running on the backend (not an SPA)? If it is in the backend, it doesn't appear to be authorized, which defeats the point? My current issue is all in our case of this happens in the context of an SPA so I'm missing if there's a pattern to call and authorize this backend API or if it's just up to the implementor. See diagram and red items below:

The code you linked runs server-side. It talks to the Hydra Admin API. The Hydra Admin API needs to be secured and must not be open to the outside world.

Thanks! Is there a pattern to make this logout call from an SPA? (Out login UI is an SPA). Basically just want to confirm that authorizing the hydra admin api calls via session cookie is enough or if that is too lenient. At the moment we make a call from the SPA login UI to our own backend, which checks if the caller has a session and that this session matches what comes back from the getOauth2LogoutRequest call (ie which user initiated the logout request). That's the best I could come up with for authorization in this case.