Here’s an end‑to‑end browser logout flow when you use Ory Identities (Kratos) for sessions and Ory OAuth2 & OpenID Connect (Hydra) for OAuth2/OIDC. It covers the APIs to call from your app and what each component does. High-level idea - In your app, trigger a Kratos browser logout to end the user’s identity session and clear cookies. - If you also use Hydra OIDC sessions, initiate Hydra’s OIDC logout endpoint to trigger front-/back‑channel logouts for OIDC clients. A. Log out the user from Kratos (browser session) 1) Create a browser logout flow (server-side route or AJAX) - Endpoint: GET /self-service/logout/browser - Purpose: Generate a logout URL and token bound to the current Kratos session (cookie). - Notes: Must forward user’s cookies if called from your backend. - Response: { logout_url, logout_token } Example (server-side): - Call createBrowserLogoutFlow and then redirect the browser to logout_url. - This URL invalidates the Kratos session and redirects to the post-logout URL. API reference and examples: - Endpoint and behavior: GET /self-service/logout/browser. [[createBrowserLogoutFlow](https://raw.githubusercontent.com/ory/kratos/master/spec/api.json); [Frontend createBrowserLogoutFlow](https://raw.githubusercontent.com/ory/docs/master/docs/reference/api.json)] - Express/Next.js/Go examples using createBrowserLogoutFlow and redirecting to logout_url. [[Sign out](https://www.ory.sh/docs/identities/get-started/sign-out)] - SPA variant: createBrowserLogoutFlow, then call updateLogoutFlow with logout_token to complete logout via AJAX. [[SPA logout](https://www.ory.sh/docs/kratos/self-service/flows/user-logout#single-page-application-spa)] - Flow details, including post-logout redirect behavior and default post-logout URL configuration. [[Kratos logout flow](https://www.ory.sh/docs/kratos/self-service/flows/user-logout)] 2) Complete the logout (two options) - Redirect-based: Send the browser to logout_url (returned in step 1). This completes logout and redirects to the return URL. [[Kratos BYO UI logout flow](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#logout-flow)] - AJAX-based (SPA): Call GET /self-service/logout?token={logout_token}. [[Kratos BYO UI logout flow](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#logout-flow); [SPA logout](https://www.ory.sh/docs/kratos/self-service/flows/user-logout#single-page-application-spa)] What happens after successful Kratos logout: - Session invalidated and session cookie removed, then browser is redirected (either to return_to or the configured default). [[Sign out](https://www.ory.sh/docs/identities/get-started/sign-out); [Kratos logout flow](https://www.ory.sh/docs/kratos/self-service/flows/user-logout)] B. Log out OIDC sessions from Hydra (front-/back-channel) If your user has active OIDC sessions with Hydra (e.g., logged into one or more OAuth2/OIDC clients), use Hydra’s OIDC logout endpoint to trigger front-/back‑channel logout. 1) Initiate OIDC logout at Hydra - Endpoint: GET /oauth2/sessions/logout - Behavior (browser): - If OP‑initiated (no id_token_hint/state/post_logout_redirect_uri): Hydra redirects based on session presence: - If no active OP session, immediate redirect to the system-wide post-logout URL. - If session exists, shows/logout UI or proceeds as configured. - If RP‑initiated (with id_token_hint), Hydra can also execute any configured front-/back-channel logouts for that client, even if the OP session is no longer valid. [[Hydra debug logout](https://www.ory.sh/docs/hydra/debug/logout)] - Status: 302 redirects in browser flows. [[Hydra revokeOidcSession](https://raw.githubusercontent.com/ory/hydra/master/spec/api.json); [Ory API oidc revokeOidcSession](https://raw.githubusercontent.com/ory/docs/master/docs/reference/api.json)] 2) What front-/back-channel does - Front-channel: If the client registered frontchannel_logout_uri, Hydra redirects the browser to that URI with iss and sid so the client can clear its own session. [[OIDC logout](https://www.ory.sh/docs/oauth2-oidc/oidc-logout)] - Back-channel: If the client registered backchannel_logout_uri, Hydra POSTs a logout_token (JWT) to that URI asynchronously; clients validate it using the OIDC JWKS and invalidate their sessions. [[OIDC logout](https://www.ory.sh/docs/oauth2-oidc/oidc-logout)] - Back-channel happens asynchronously and does not block the browser flow. [[Hydra revokeOidcSession](https://raw.githubusercontent.com/ory/hydra/master/spec/api.json)] Putting it together: end-to-end browser sequence - From your app’s logout action: 1) Call Kratos: GET /self-service/logout/browser (forward cookies) → receive logout_url (and logout_token). [[createBrowserLogoutFlow](https://raw.githubusercontent.com/ory/kratos/master/spec/api.json)] 2) Complete Kratos logout: - Redirect the browser to logout_url; or - SPA: GET /self-service/logout?token={logout_token}. [[Kratos BYO UI logout flow](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#logout-flow)] 3) Optionally, also hit Hydra to terminate OIDC sessions: - Redirect or navigate to GET /oauth2/sessions/logout (and include id_token_hint/state/post_logout_redirect_uri if doing RP‑initiated logout), which triggers front-/back-channel logout for clients. [[Hydra revokeOidcSession](https://raw.githubusercontent.com/ory/hydra/master/spec/api.json); [Hydra debug logout](https://www.ory.sh/docs/hydra/debug/logout); [OIDC logout](https://www.ory.sh/docs/oauth2-oidc/oidc-logout)] Notes and caveats - Cookies and browsers: Ensure the browser sends the Kratos session cookie when creating the logout flow. Forward the original Cookie header from your backend. [[createBrowserLogoutFlow](https://raw.githubusercontent.com/ory/docs/master/docs/reference/api.json)] - Post-logout redirect: - Kratos: use the default configured Post-Logout Redirect (Branding → Browser redirects) or pass return_to when creating the logout flow. [[Kratos logout flow](https://www.ory.sh/docs/kratos/self-service/flows/user-logout)] - Hydra: behavior depends on whether it’s OP- or RP-initiated logout and the presence of id_token_hint/post_logout_redirect_uri. [[Hydra debug logout](https://www.ory.sh/docs/hydra/debug/logout)] - Troubleshooting Hydra logout: - If you get immediate redirect without seeing UI or errors, you might have no active OP session or strict browser cookie settings (e.g., Brave) interfering. [[Hydra debug logout](https://www.ory.sh/docs/hydra/debug/logout)] Minimal code sketch (server-rendered example) - Kratos (logout first), then Hydra:

ts // Express-style pseudo code import { Configuration, FrontendApi, OAuth2Api } from "@ory/client"  const kratos = new FrontendApi(new Configuration({ basePath: process.env.ORY_SDK_URL })) const hydra  = new OAuth2Api(new Configuration({ basePath: process.env.ORY_SDK_URL }))  app.get("/logout", async (req, res) => {   try {     // 1) Create Kratos browser logout flow     const { data: { logout_url } } = await kratos.createBrowserLogoutFlow({       cookie: req.header("cookie") || "",       // return_to can be provided if desired       // returnTo: "<https://your-app.example.com/post-logout>",     })      // 2) Redirect to Kratos logout URL (completes Kratos logout)     // After this redirect completes, user returns to your app (per return_to/default).     res.redirect(logout_url)   } catch {     // even if Kratos logout fails, try Hydra logout to clean up OIDC sessions     res.redirect("/logout/hydra")   } })  app.get("/logout/hydra", async (req, res) => {   // 3) Trigger Hydra OIDC logout (OP-initiated)   // If you use RP-initiated, add id_token_hint/state/post_logout_redirect_uri in the query.   // This call returns 302 and Hydra will handle redirects and front/back-channel.   res.redirect("/oauth2/sessions/logout") })

- The Kratos API usage and redirect pattern are shown in official examples. [[Sign out](https://www.ory.sh/docs/identities/get-started/sign-out)] - Hydra’s logout endpoint is GET /oauth2/sessions/logout and drives front-/back-channel logout. [[Hydra revokeOidcSession](https://raw.githubusercontent.com/ory/hydra/master/spec/api.json); [OIDC logout](https://www.ory.sh/docs/oauth2-oidc/oidc-logout); [Hydra debug logout](https://www.ory.sh/docs/hydra/debug/logout)] If you need a custom Hydra logout UI/endpoint (e.g., to require user confirmation), implement it using getOAuth2LogoutRequest, acceptOAuth2LogoutRequest, rejectOAuth2LogoutRequest as shown in the guide. [[Hydra logout guide](https://www.ory.sh/docs/hydra/guides/logout)]

@chilly-king-10285 does the following hdyra admin sdk function remove ID and Access tokens ?

HydraAdminClient.AdminApi.RevokeAuthenticationSession

Short answer: No. That endpoint revokes login (authentication) sessions, not tokens. Details: - The admin endpoint DELETE /admin/oauth2/auth/sessions/login (often exposed in SDKs as RevokeAuthenticationSession or revokeOAuth2LoginSessions) “invalidates authentication sessions” so the subject must re-authenticate. It explicitly “does not invalidate any tokens.” [[revokeOAuth2LoginSessions](https://raw.githubusercontent.com/ory/docs/master/docs/reference/api.json); [Hydra revokeOAuth2LoginSessions](https://raw.githubusercontent.com/ory/hydra/master/spec/api.json)] How to remove tokens instead: - To revoke access or refresh tokens by value, use POST /oauth2/revoke (revokeOAuth2Token). [[revokeOAuth2Token](https://raw.githubusercontent.com/ory/docs/master/docs/reference/api.json); [Hydra revokeOAuth2Token](https://raw.githubusercontent.com/ory/hydra/master/spec/api.json)] - To revoke all tokens granted via a user’s consent (optionally scoped to a client), use DELETE /admin/oauth2/auth/sessions/consent (revokeOAuth2ConsentSessions). This invalidates all associated access and refresh tokens. [[revokeOAuth2ConsentSessions](https://raw.githubusercontent.com/ory/hydra/master/spec/api.json); [Revoke consent](https://www.ory.sh/docs/oauth2-oidc/revoke-consent)]

In the Hydra Admin API, the endpoint DELETE /admin/oauth2/auth/sessions/consent is exposed as revokeOAuth2ConsentSessions (naming may vary slightly per SDK, e.g., OAuth2Api.revokeOAuth2ConsentSessions or AdminApi.revokeOAuth2ConsentSessions). It revokes a subject’s consent sessions and invalidates associated access tokens, optionally scoped by client, consent_request_id, or all=true. [[revokeOAuth2ConsentSessions](https://raw.githubusercontent.com/ory/hydra/master/spec/api.json); [Ory API revokeOAuth2ConsentSessions](https://raw.githubusercontent.com/ory/docs/master/docs/reference/api.json); [Revoke consent](https://www.ory.sh/docs/oauth2-oidc/revoke-consent)]

In the Hydra SDKs, the POST /oauth2/revoke endpoint is exposed as revokeOAuth2Token (often under the OAuth2Api or PublicApi, depending on the language). It revokes an access or refresh token by value. [[Hydra revokeOAuth2Token](https://raw.githubusercontent.com/ory/hydra/master/spec/api.json); [Ory API revokeOAuth2Token](https://raw.githubusercontent.com/ory/docs/master/docs/reference/api.json)] - Example (conceptual): OAuth2Api.revokeOAuth2Token({ token, client_id, client_secret }) - Auth: basic auth or OAuth2 client credentials are supported by the endpoint. [[Hydra revokeOAuth2Token](https://raw.githubusercontent.com/ory/hydra/master/spec/api.json)]

Short answer: No — you should not assume subject is always present or non-empty. Details from the API schema: - The response object for GET /admin/oauth2/auth/requests/logout (getOAuth2LogoutRequest) includes a subject field described as “Subject is the user for whom the logout was request.” but it is not listed as required. Therefore, it may be absent or null/empty depending on the context (e.g., RP-initiated vs. OP-initiated, expired request, no bound user). [[Hydra getLogout 200](https://raw.githubusercontent.com/ory/hydra/master/spec/api.json); [Ory API getLogout 200](https://raw.githubusercontent.com/ory/docs/master/docs/reference/api.json)] - Other fields that are returned include rp_initiated, sid, client, etc., and similarly they are not marked required either. Only challenge is clearly defined as the identifier, but even that is not shown as “required” in the schema’s required list, which indicates the object has no explicit required keys in the spec snippet. You should code defensively and check for presence before use. [[Hydra getLogout 200](https://raw.githubusercontent.com/ory/hydra/master/spec/api.json)] Recommendation: - Treat subject as optional: check if logoutRequest.subject is set before relying on it. Fall back to other indicators (e.g., rp_initiated, client, sid) as needed. [[Hydra getLogout 200](https://raw.githubusercontent.com/ory/hydra/master/spec/api.json)]

For the Hydra

/oauth2/sessions/logout

API (OpenID Connect logout endpoint), the following query parameters are supported: -

id_token_hint

(optional): The ID Token previously issued to the user. Including this helps Hydra identify the user session to log out, especially if the session cookie is missing or the login was not remembered. -

post_logout_redirect_uri

(optional): The URL to which the user should be redirected after logout. This must be whitelisted in the OAuth2 client’s configuration. -

state

(optional): A value used to maintain state between the logout request and the response. If provided, it will be returned in the redirect after logout. Cookies: - If the user has an active authentication session, the browser must send the

oauth2_authentication_session

cookie for the domain where Hydra is running. This cookie is used to identify the user’s session for logout. If the cookie is missing (e.g., due to strict browser privacy settings or if the login was not remembered), Hydra may not be able to identify the session unless

id_token_hint

is provided [[Hydra debug logout](https://www.ory.sh/docs/hydra/debug/logout); [Send the ID token in id_token_hint](https://www.ory.sh/docs/oauth2-oidc/oidc-logout#send-the-id-token-in-id_token_hint)]. Summary Table: | Query Parameter | Required | Description | |----------------------------|----------|-----------------------------------------------------------------------------| | id_token_hint | No | ID Token to help identify the session to log out | | post_logout_redirect_uri | No | Redirect URL after logout (must be whitelisted) | | state | No | Opaque value to maintain state between request and response | | Cookie | Required | Description | |-------------------------------|----------|--------------------------------------------------| | oauth2_authentication_session | No* | Identifies the user session for logout | \* Required if you want Hydra to identify the session without

id_token_hint

. References: [Hydra debug logout](https://www.ory.sh/docs/hydra/debug/logout) [Send the ID token in id_token_hint](https://www.ory.sh/docs/oauth2-oidc/oidc-logout#send-the-id-token-in-id_token_hint)

If you use the Kratos "code" login method (one-time code) with a mobile number as the identifier, and you accept the Hydra login challenge with the identifier set to the mobile number, then the value you provide as the subject when accepting the Hydra login request will be used as the

sub

(subject) claim in Hydra's issued JWT. By default, Hydra uses the subject value you provide during the login acceptance as the JWT's

sub

claim. So, if you pass the mobile number as the subject, the JWT's

sub

field will be set to that mobile number. Example: - User logs in with mobile number

+1234567890

via Kratos (code method). - You accept the Hydra login challenge and set

subject: "+1234567890"

. - Hydra issues a JWT with

"sub": "+1234567890"

. There is no automatic mapping or transformation unless you implement it yourself or configure Hydra/Kratos to use a different identifier (such as

external_id

). The subject is what you provide when accepting the login request [[Hydra subject claim](https://www.ory.sh/docs/hydra/guides/openid)]. If you want the JWT's

sub

claim to be something else (e.g., an internal user ID or an external ID), you must provide that value as the subject when accepting the login request. Otherwise, it will be the mobile number you used as the identifier.

The Kratos SDK function to delete all sessions for a given identity (by identity ID) is: Go SDK:

go func DisableAndDeleteSessions(ctx context.Context, identityId string) (err error) {    _, err = ory.IdentityApi.DeleteIdentitySessions(ContextWithToken(ctx), identityId).     Execute()    return err   }

This function calls the

DeleteIdentitySessions

method on the

IdentityApi

, passing the identity ID. This irrecoverably and permanently deletes and invalidates all sessions that belong to the given identity [[Delete sessions](https://www.ory.sh/docs/kratos/sdk/go#delete-sessions); [Revoke and delete sessions of a user](https://www.ory.sh/docs/kratos/session-management/list-revoke-get-sessions#revoke-and-delete-sessions-of-a-user)]. API Reference:

DELETE /admin/identities/{id}/sessions

[[API reference](https://raw.githubusercontent.com/ory/kratos/master/spec/api.json)]

The knowledge sources do not contain explicit information about the "undefined response type" error when calling the

AdminApi.GetLoginRequest

function in the Hydra client SDK. There is no direct troubleshooting guide or documented error message for this specific issue in the provided documentation or API references. However, based on the available API references, the correct endpoint for fetching a login request is

GET /admin/oauth2/auth/requests/login

and it requires the

login_challenge

query parameter to be set. If this parameter is missing or incorrect, or if the SDK function is not called with the expected arguments, it could potentially result in errors or unexpected responses [[Hydra getOAuth2LoginRequest](https://raw.githubusercontent.com/ory/hydra/master/spec/api.json); [Ory API getOAuth2LoginRequest](https://raw.githubusercontent.com/ory/docs/master/docs/reference/api.json)]. If you are seeing an "undefined response type" error, please ensure: - You are passing the required

login_challenge

parameter. - You are using the correct SDK function and version. - The Hydra server is running and accessible. If the issue persists, it may be a bug or a mismatch between the SDK and the Hydra server version. In that case, consider checking the SDK documentation or opening an issue in the [Ory Hydra SDKs GitHub repository](https://github.com/ory/sdk/tree/master/clients/hydra/) for further assistance [[Hydra SDK overview](https://www.ory.sh/docs/hydra/sdk/overview)]. I'm sorry I can't provide a more specific answer based on the current knowledge sources.