Logout

1. Clear Intastellar’s client cookie on your origin — call Intastellar.accounts.signout(). Intastellar’s browser client currently uses this to delete the inta_account cookie (first-party on your site’s origin). Load the Intastellar accounts script / global before calling it, and guard the call if the API might be absent (e.g. Intastellar?.accounts?.signout?.()).
2. Clear your application session — delete or invalidate your app session cookie (e.g. HttpOnly) and any server-side session record. The SDK sign-out step does not replace your own backend or BFF session.
3. IdP / SSO logout (optional but recommended for full SSO teardown) — if your integration uses an end-session or logout URL on the identity host, redirect the user there with the parameters from your integration guide (id_token_hint, post_logout_redirect_uri, client_id, etc.) so SSO cookies on Intastellar’s identity domain are cleared.
4. Return URL — send the user to a public page on your site after logout completes.

Without step 3 (when you rely on SSO on the identity domain), the user may still have an IdP session and get silent SSO on the next authorize redirect, even after inta_account is gone.

Common authorize errors

error (typical)	Meaning
invalid_request	Missing or invalid parameter (e.g. bad redirect_uri).
unauthorized_client	Client not allowed for this flow or scope.
access_denied	User cancelled or blocked consent.
invalid_scope	Requested scope not allowed for the client.

Always show a safe message to the user and log error_description server-side for support.

Common token errors

error	Meaning
invalid_grant	Code expired, already used, or redirect_uri / PKCE mismatch.
invalid_client	Wrong client_id / client_secret.
invalid_request	Malformed body or missing field.

Authorization codes are usually single-use and short-lived. If the user double-submits the callback or you retry with the same code, expect invalid_grant.

React SDK (popup)

• Popup blocked — the SDK opens a new window; browsers may block it. Allow popups for your origin or use a flow that does not rely on window.open if your product supports it.
• logout vs global signout — the hook’s logout ends the client session for your app; the underlying client API is Intastellar.accounts.signout(), which deletes the inta_account cookie on your origin.
• Still “signed in” after portal or cookie cleanup — third-party cookies or an IdP session can make getUsers() return a user until end-session / IdP logout or further cleanup; clearing inta_account alone does not always clear the identity host. See Sessions, cookies, and tokens.

Troubleshooting checklist

• Redirect URI matches the registered value exactly (scheme, host, path, no extra query).
• state matches the value you stored for this attempt.
• PKCE: same code_verifier that produced the sent code_challenge.
• Clock skew: ensure server time is correct for JWT exp validation.
• CORS: token endpoint calls from the browser often fail by design — use your backend.

For a full walkthrough of the happy path, see Authorization code flow.