<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
The Purpose of "id_token_hint" in the /logout API and How Does it Affect the Single Logout Process
Dec 4, 2025
Okta Classic Engine
Okta Identity Engine
SDKs & Libraries
Overview

This article explains the purpose of the id_token_hint parameter in the /logout API endpoint and its role in the logout process.

Applies To
  • OpenID Connect (OIDC)
  • Single Logout (SLO)
  • /logout API Endpoint
Solution

What is an id_token_hint?

The id_token_hint parameter is a required parameter used in requests to the /logout endpoint in OIDC flows. Its purpose is to provide a hint to the Okta Authorization Server about the end-user's session that is being requested to be logged out.

id_token_hint is a valid JWT that is issued by the  Okta Authorization Server when using any of the OIDC flows (this can be either the Org Authorization Server or a Custom Authorization Server) as part of openid scope. The id_token_hint requires the original ID Token (issued to the client application after the authentication process) to be passed as a raw JSON Web Token (JWT) string.

A raw JWT string is like a sequence of encoded characters separated by periods. For example, below is a sample ID token issued by Okta after a user successfully logs into their application if openid scope is requested: 

eyJraWQiOiJ5dnkwVUNvZGlSWVBCVzBnZTdVRy1GdFNhbUZla3BoVjcyRUJCQlJHQi1vIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiIwMUxbmR0bG5sbXZxYWJ3TzFkOCIsIm5hbWUiOiJSYW5nYSBQcmFrYXNoIFMiLCJsb2NhbGUiOJJTiIsImVtYWlsIjoicmFuZ2EucHJha2FzaEBva3RhLmNvbSIsIZlciI6MSwiaXNzIjoiaHR0cHM6Ly9va3RhLm9rdGEuY29tIiwiYXVkIjoib2t0YS4yYj5NTljOC1iYY29tIiwiZ2l2ZW5fbmFtZSI6IlJhbmdhIFByYWthc2giLCJmYW1pbHlfbmFtZSI6MiLCJ6b25laW5mbyI6IkFzaWEvQ9sb21ibyIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwiYXV0aF90aW1lIjoxNzQzNzU0MTExLCJhdF9oYXNoIjoiUjNWb2JfaVhmSU1kcF93aDE4cDNyUSJ9.EJbuGeOTmGiloswI7_hxTkUnUhHAG5614VYVYSAwiiAZkNlFHAf_YagE3SySpuE2AZyKaaFqDvIJ2KBgf5ZEpxhiOMCJEGhAQ0nAUZtVb1ROLLrRhzClpm3TQiRbijcJZEJvpzlyXzDngY4AIwL0B8GYy4GqiPsdEa20YHYqMyNdMvdMlhxxumlTSFDn28kL4zW7e0Hwqloa8mQK8p1LkCYh3LCIi8aDEGX-

NOTE: The value provided as the id_token_hint is cannot be the username, email, or UPN of the logged-in user.

It must be an ID Token JWT string that contains all three parts of the JWT (the header, payload, and signature), and this token must be issued by the Okta Authorization Server to which the /logout call is being made. For example, if the token was issued by the Default Authorization Server, it must be sent to the Logout endpoint for that same authorization server endpoint: /oauth2/default/v1/logout.

Expired but valid Id_token_hint / ID token

To quote our Okta API docs on an expired but valid id_token_hint:

If the ID token is valid, but expired, and the subject matches the current Okta session, a logout request signs the user out and redirects the browser to the post_logout_redirect_uri. 

 

Since ID Tokens are formatted as JSON Web Tokens (JWTs), a valid token can be decoded to view its contents using any standard JWT decoder to get information about it. This can be done by using an online tool like jwt.io to both decode and help validate the token or to debug issues with the signature.

Related References

Recommended content

Still looking for help?
Loading
The Purpose of "id_token_hint" in the /logout API and How Does it Affect the Single Logout Process