From a37dbb97c41ab5037a96b2ab8466ee8d0f9b070f Mon Sep 17 00:00:00 2001
From: Timm Fitschen <t.fitschen@indiscale.com>
Date: Fri, 28 Apr 2023 16:04:52 +0200
Subject: [PATCH] DOC: update Authentication.rst

---
 src/doc/specification/Authentication.rst | 26 ++++++++----------------
 1 file changed, 8 insertions(+), 18 deletions(-)

diff --git a/src/doc/specification/Authentication.rst b/src/doc/specification/Authentication.rst
index 0d3da0e1..3fcd25da 100644
--- a/src/doc/specification/Authentication.rst
+++ b/src/doc/specification/Authentication.rst
@@ -23,12 +23,18 @@ password:
 Logout
 ------
 
+The server does not invalidate AuthTokens. They invalidate after they expire or
+when the server is being restartet. Client should just delete their AuthToken
+to 'logout'.
+
+However, in order to remove the AuthToken cookie from the browsers there is a
+convenient resource which will invalidate the cookie (not the AuthToken).
+
 Send
 
 ``GET http://host:port/logout``
 
-with a valid AuthToken cookie. No new AuthToken will be returned and no AuthToken with that session
-will be accepted anymore.
+and the server will return an empty AuthToken cookie which immediately expires.
 
 Example using ``curl``
 ----------------------
@@ -65,19 +71,3 @@ To use the cookie, pass it on with later requests:
 .. code-block:: sh
 
    curl -X GET -b cookie.txt --insecure "https://<SERVER>/Entity/123"
-
-.. _curl-logout:
-
-Logout
-~~~~~~
-
-The server does not invalidate AuthTokens. They invalidate after they expire of
-when the server is being restartet. Client should just delete their AuthToken
-to 'logout'.
-
-However, in order to remove the AuthToken cookie from the browsers there is a
-convenient resource which will invalidate the cookie (not the AuthToken).
-
-.. code-block:: sh
-
-   curl -X GET -b cookie.txt --insecure "https://<SERVER>/logout"  # Now the cookie is invalidated.
-- 
GitLab