Ends the caller's session. Tolerant by design — any caller (valid token, expired token, no cookie at all) gets a 204 with Set-Cookie headers clearing the session cookies. The endpoint is unauthenticated for that reason: requiring a valid JWT to log out would leave clients with stale tokens unable to clean up their browser state.

When a refresh_token cookie is presented, the server revokes it at Cognito (best-effort — a revocation failure does not block the cookie clear). Without a refresh cookie, only the client-side cookies are cleared; the access token is then useful only until its natural expiry (≤ 60 min by default).

The endpoint has no request body. Idempotent: repeat calls return the same 204 + cookie clear.