To perform a logout in a browser flow with Ory, you need to: 1. Create a browser logout flow by calling the

createBrowserLogoutFlow

endpoint. This generates a logout URL associated with the current session cookie. 2. Redirect the user to the logout URL. This URL will invalidate the session and remove the session cookie. 3. Optionally, specify a post-logout redirect URL using the

return_to

query parameter, or configure a default in the Ory Console. ### Example (Express.js)

js // Create logout route   app.get("/logout", async (req, res) => {     try {       // Create a logout flow       const { logout_url } = await ory.createBrowserLogoutFlow({         cookie: req.header("cookie"),       })       // Redirect to logout URL       res.redirect(logout_url)     } catch (err) {       res.redirect("/")     }   })

### Example (Next.js API Route)

js import { NextRequest, NextResponse } from "next/server"   import ory from "@/lib/ory"      export async function GET(request: NextRequest) {     try {       const { logout_url } = await ory.createBrowserLogoutFlow({         cookie: request.headers.get("cookie") || "",       })       return NextResponse.redirect(logout_url)     } catch (error) {       return NextResponse.redirect(new URL("/", request.url))     }   }

### What happens after logout? - The user's session is invalidated. - The session cookie is removed from the browser. - The user is redirected to the specified return URL or the default post-logout URL. For more details and code samples, see the official documentation: [Sign out](https://www.ory.sh/docs/identities/get-started/sign-out), [Logout flow](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#logout-flow), and [Logout for browser apps](https://www.ory.sh/docs/guides/upgrade/sdk-v1#logout-for-browser-apps).

To initiate the logout in the browser flow, you need to call the following endpoint:

GET /self-service/logout/browser

This endpoint initializes a browser-based user logout flow and returns a logout URL that you can use to log out the user. If you are calling this endpoint from a backend, make sure to include the original Cookie header in the request to associate the logout with the correct session [Logout flow](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#logout-flow) [createBrowserLogoutFlow](https://www.ory.sh/docs/identities/get-started/sign-out). Example usage:

https://<your-project-slug>.<http://projects.oryapis.com/self-service/logout/browser|projects.oryapis.com/self-service/logout/browser>

You can also provide an optional 

return_to

 query parameter to specify where the user should be redirected after logout.

To refresh a session without requiring the user to log in again, you can use the session extension (refresh) feature provided by Ory. This can be done programmatically (typically by an administrator or backend process) using the Extend Session API. ### How to Refresh a Session - As an administrator or backend process: Use the [extend session API](https://www.ory.sh/docs/reference/api#tag/identity/operation/extendSession) to refresh a user's session. This does not require user interaction and does not prompt the user to log in again. #### Example in Go

go session, _, err = ory.IdentityApi.ExtendSession(ContextWithToken(ctx), sessionId).     Execute()

#### Example in TypeScript

ts import { Configuration, IdentityApi } from "@ory/client"  const identity = new IdentityApi(   new Configuration({     basePath: `https://${process.env.ORY_PROJECT_SLUG}.<http://projects.oryapis.com|projects.oryapis.com>`,     accessToken: `${process.env.ORY_ACCESS_TOKEN}`,   }), )  export async function refreshSession(sessionId: string) {   return await identity.extendSession({     id: sessionId,   }) }

To get the

sessionId

, call the

/sessions/whoami

endpoint or use the

toSession

SDK method [Refresh sessions](https://www.ory.sh/docs/kratos/session-management/refresh-extend-sessions). - As a user in a browser: If you want to refresh the session from the user's perspective (for example, after inactivity), you typically need to prompt the user to re-authenticate using the login flow with

?refresh=true

. This will require the user to log in again, so it does not meet your requirement of "without logging in again" [Refreshing a session](https://www.ory.sh/docs/kratos/self-service/flows/user-login#refreshing-a-session). Summary: To refresh a session without user interaction, use the administrative "extend session" API. This is not available to regular users in the browser flow, where re-authentication is required for session refresh.

Yes, if you want to refresh sessions automatically without requiring the user to log in again, you need to implement custom frontend logic that calls the admin extend session API. This approach is not available out-of-the-box for browser users; the standard browser flow requires re-authentication for session refresh. The recommended pattern is: 1. Frontend logic detects when a session is about to expire. 2. Backend/admin logic calls the

/admin/sessions/{id}/extend

endpoint to extend the session. 3. Frontend then updates the session cookie by calling the

/sessions/whoami

endpoint to get the new cookie and set it in the browser. This is confirmed by community discussions and official responses: - The extend session endpoint is meant for active sessions only and does not update the cookie directly. After extending, you need to fetch the new session cookie via the

whoami

endpoint and update it in the browser. This requires custom logic in your application to coordinate these steps [Github Issue: Extending a session is not working](https://github.com/ory/kratos/issues/4441). - The official answer to a related question is that you must fetch the session after expiry, as the extend API does not return session details anymore [Deprecation of session response in extend API](https://github.com/ory/kratos/discussions/4132). - The documentation provides code samples for using the extend session API from the backend [Refresh sessions](https://www.ory.sh/docs/kratos/session-management/refresh-extend-sessions). So, yes, you need to handle auto-refresh using your own frontend logic in combination with the admin extend session API.