diff --git a/src/node/routes/index.ts b/src/node/routes/index.ts
index 5bc9f10b..c183b42b 100644
--- a/src/node/routes/index.ts
+++ b/src/node/routes/index.ts
@@ -20,6 +20,7 @@ import * as apps from "./apps"
 import * as domainProxy from "./domainProxy"
 import * as health from "./health"
 import * as login from "./login"
+import * as logout from "./logout"
 import * as pathProxy from "./pathProxy"
 // static is a reserved keyword.
 import * as _static from "./static"
@@ -136,10 +137,10 @@ export const register = async (
 
   if (args.auth === AuthType.Password) {
     app.use("/login", login.router)
+    app.use("/logout", logout.router)
   } else {
-    app.all("/login", (req, res) => {
-      redirect(req, res, "/", {})
-    })
+    app.all("/login", (req, res) => redirect(req, res, "/", {}))
+    app.all("/logout", (req, res) => redirect(req, res, "/", {}))
   }
 
   app.use("/static", _static.router)
diff --git a/src/node/routes/logout.ts b/src/node/routes/logout.ts
new file mode 100644
index 00000000..e42789b4
--- /dev/null
+++ b/src/node/routes/logout.ts
@@ -0,0 +1,17 @@
+import { Router } from "express"
+import { getCookieDomain, redirect } from "../http"
+import { Cookie } from "./login"
+
+export const router = Router()
+
+router.get("/", async (req, res) => {
+  // Must use the *identical* properties used to set the cookie.
+  res.clearCookie(Cookie.Key, {
+    domain: getCookieDomain(req.headers.host || "", req.args["proxy-domain"]),
+    path: req.body.base || "/",
+    sameSite: "lax",
+  })
+
+  const to = (typeof req.query.to === "string" && req.query.to) || "/"
+  return redirect(req, res, to, { to: undefined, base: undefined })
+})