diff --git a/idp/src/main.rs b/idp/src/main.rs
index 3f8d37c..5e43901 100644
--- a/idp/src/main.rs
+++ b/idp/src/main.rs
@@ -60,6 +60,7 @@ async fn main() -> Result<()> {
     let app = Router::<Db>::new()
         .route("/style.css", get(style_css))
         .route("/", get(root))
+        .route("/logout", post(logout))
         .route("/signup", get(signup).post(signup_post))
         .route("/login", get(login).post(login_post))
         .route("/login-2fa", get(login_2fa).post(login_2fa_post))
@@ -169,6 +170,26 @@ async fn login_2fa() -> impl IntoResponse {
     )
 }
 
+async fn logout(
+    State(db): State<Db>,
+
+    jar: CookieJar,
+    user: UserSession,
+) -> Result<Response, Response> {
+    let Some(user) = user.0 else {
+        return Ok(Redirect::to("/").into_response());
+    };
+
+    session::delete_session(&db, user.user_id, user.session_public_id)
+        .await
+        .map_err(|err| {
+            error!(?err, "Error deleting session for logout");
+            StatusCode::INTERNAL_SERVER_ERROR.into_response()
+        })?;
+
+    Ok((jar.remove(SESSION_ID_COOKIE_NAME), Redirect::to("/")).into_response())
+}
+
 async fn list_2fa(user: UserSession, State(db): State<Db>) -> Result<impl IntoResponse, Response> {
     let Some(user) = user.0 else {
         return Err(Redirect::to("/").into_response());
diff --git a/idp/src/session.rs b/idp/src/session.rs
index 7a91843..66952c0 100644
--- a/idp/src/session.rs
+++ b/idp/src/session.rs
@@ -16,13 +16,14 @@ pub struct SessionWithUser {
     #[expect(dead_code)]
     pub created: i64,
     pub username: String,
+    pub session_public_id: i64,
 }
 
 pub struct SessionId(pub String);
 
 pub async fn find_session(db: &Db, session_id: &str) -> Result<Option<SessionWithUser>> {
     let result = sqlx::query_as::<_, SessionWithUser>(
-        "select user_id, created, username from sessions left join users on sessions.user_id = users.id where session_id = ? and locked_2fa = false",
+        "select user_id, session_public_id, created, username from sessions left join users on sessions.user_id = users.id where session_id = ? and locked_2fa = false",
     )
     .bind(session_id)
     .fetch_one(&db.pool)
diff --git a/idp/templates/index.html b/idp/templates/index.html
index e9181ed..ff19221 100644
--- a/idp/templates/index.html
+++ b/idp/templates/index.html
@@ -18,6 +18,11 @@
     </div>
     {% if let Some(username) = username %}
     <p>Hello, {{username}}!</p>
+    <div>
+      <form action="/logout" method="post">
+        <button type="submit">Logout</button>
+      </form>
+    </div>
     {% endif %}
     <p>Login</p>
     <div>