agentclientprotocol · benbrandt · May 22, 2026 · May 21, 2026
@@ -20,7 +20,6 @@ unstable = [
     "unstable_cancel_request",
     "unstable_elicitation",
     "unstable_llm_providers",
-    "unstable_logout",
     "unstable_mcp_over_acp",
     "unstable_nes",
     "unstable_session_additional_directories",
@@ -40,7 +39,6 @@ unstable_auth_methods = []
 unstable_cancel_request = []
 unstable_elicitation = []
 unstable_llm_providers = []
-unstable_logout = []
 unstable_mcp_over_acp = []
 unstable_nes = []
 unstable_session_additional_directories = []

@@ -0,0 +1,13 @@
+---
+title: Logout Method is stabilized
+sidebarTitle: Logout Method stabilized
+description: Announcement that the logout method is now part of the stable ACP protocol.
+---
+
+**Published:** May 21, 2026
+
+The [Logout Method RFD](/rfds/logout-method) has moved to Completed and the `logout` method is stabilized.
+
+When advertised via `agentCapabilities.auth.logout`, Clients can now ask Agents to end the current authenticated state and return the connection to a state where future authentication-gated requests require `authenticate` again.
+
+For the protocol documentation, see [Logging Out](/protocol/authentication#logging-out).
@@ -64,6 +64,7 @@
             "pages": [
               "protocol/overview",
               "protocol/initialization",
+              "protocol/authentication",
               "protocol/session-setup",
               "protocol/session-list",
               "protocol/prompt-turn",
@@ -155,11 +156,7 @@
           },
           {
             "group": "Preview",
-            "pages": [
-              "rfds/rust-sdk-v1",
-              "rfds/logout-method",
-              "rfds/additional-directories"
-            ]
+            "pages": ["rfds/rust-sdk-v1", "rfds/additional-directories"]
           },
           {
             "group": "Completed",
@@ -170,7 +167,8 @@
               "rfds/session-info-update",
               "rfds/acp-agent-registry",
               "rfds/session-resume",
-              "rfds/session-close"
+              "rfds/session-close",
+              "rfds/logout-method"
             ]
           }
         ]
@@ -196,6 +194,7 @@
           {
             "group": "Announcements",
             "pages": [
+              "announcements/logout-method-stabilized",
               "announcements/session-close-stabilized",
               "announcements/session-resume-stabilized",
               "announcements/transports-working-group",

@@ -0,0 +1,142 @@
+---
+title: "Authentication"
+description: "Authenticating with agents and logging out"
+---
+
+ACP authentication is negotiated during [initialization](/protocol/initialization). Agents advertise available authentication methods in `authMethods`, Clients choose one by calling `authenticate`, and Agents that support ending an authenticated state advertise the `logout` capability.
+
+<br />
+
+```mermaid
+sequenceDiagram
+    participant Client
+    participant Agent
+
+    Client->>Agent: initialize
+    Agent-->>Client: initialize response (authMethods, auth.logout)
+
+    alt Agent requires authentication
+        Client->>Agent: authenticate (methodId)
+        Agent-->>Client: authenticate response
+    end
+
+    Note over Client,Agent: Authenticated requests may proceed
+
+    alt User logs out
+        Client->>Agent: logout
+        Agent-->>Client: logout response
+    end
+
+    Note over Client,Agent: New sessions require authentication again
+```
+
+<br />
+
+## Advertising Authentication
+
+Agents advertise authentication options in the `authMethods` field of the `initialize` response. Each method has an `id` that the Client passes back to the Agent in a later `authenticate` request.
+
+Agents that support `logout` also advertise `agentCapabilities.auth.logout`:
+
+```json highlight={7-11,12-18}
+{
+  "jsonrpc": "2.0",
+  "id": 0,
+  "result": {
+    "protocolVersion": 1,
+    "agentCapabilities": {
+      "auth": {
+        "logout": {}
+      }
+    },
+    "authMethods": [
+      {
+        "id": "agent-login",
+        "name": "Agent login",
+        "description": "Sign in using the agent's login flow"
+      }
+    ]
+  }
+}
+```
+
+If `agentCapabilities.auth.logout` is omitted or `null`, the Agent does not support `logout` and Clients **MUST NOT** call it. Supplying `{}` means the Agent supports the method.
+
+### Authentication Method Types
+
+The default authentication method type is `agent`, where the Agent handles authentication itself. When no `type` is present, the method is treated as `agent`:
+
+```json
+{
+  "id": "agent-login",
+  "name": "Agent login",
+  "description": "Sign in using the agent's login flow"
+}
+```
+
+An explicit `"type": "agent"` is also accepted but not required.
+
+See the [schema](/protocol/schema#authmethod) for the full stable `AuthMethod` definition.
+
+## Authenticating
+
+When an Agent requires authentication before allowing session creation, the Client calls `authenticate` with one of the advertised authentication method IDs:
+
+```json
+{
+  "jsonrpc": "2.0",
+  "id": 1,
+  "method": "authenticate",
+  "params": {
+    "methodId": "agent-login"
+  }
+}
+```
+
+<ParamField path="methodId" type="string" required>
+  The ID of the authentication method to use. This value must match one of the
+  methods advertised in the `initialize` response.
+</ParamField>
+
+On success, the Agent returns an empty result:
+
+```json
+{
+  "jsonrpc": "2.0",
+  "id": 1,
+  "result": {}
+}
+```
+
+After successful authentication, the Client can create new sessions without receiving an `auth_required` error for authentication-gated requests.
+
+## Logging Out
+
+The `logout` method allows Clients to end the current authenticated state. Clients should only call it after verifying the Agent advertised `agentCapabilities.auth.logout` during initialization.
+
+```json
+{
+  "jsonrpc": "2.0",
+  "id": 2,
+  "method": "logout",
+  "params": {}
+}
+```
+
+On success, the Agent returns an empty result:
+
+```json
+{
+  "jsonrpc": "2.0",
+  "id": 2,
+  "result": {}
+}
+```
+
+After a successful `logout`, new sessions that require authentication will require the Client to call `authenticate` again.
+
+## Active Sessions
+
+The protocol does not guarantee what happens to already-running sessions after `logout`. Agents may terminate them, keep them running, or return `auth_required` errors for future session activity.
+
+Clients **SHOULD** be prepared for active session operations to fail with authentication-related errors after logout and should prompt the user to authenticate again when appropriate.
@@ -3,12 +3,7 @@ title: "Authentication"
 description: "Authenticating with agents and logging out"
 ---
 
-ACP authentication is negotiated during [initialization](/protocol/initialization). Agents advertise available authentication methods in `authMethods`, Clients choose one by calling `authenticate`, and Agents that support ending an authenticated state advertise the draft `logout` capability.
-
-<Note>
-  The `logout` method and `agentCapabilities.auth.logout` capability are still
-  unstable and may change before they are stabilized.
-</Note>
+ACP authentication is negotiated during [initialization](/protocol/initialization). Agents advertise available authentication methods in `authMethods`, Clients choose one by calling `authenticate`, and Agents that support ending an authenticated state advertise the `logout` capability.
 
 <br />
 
@@ -138,7 +133,7 @@ After successful authentication, the Client can create new sessions without rece
 
 ## Logging Out
 
-The draft `logout` method allows Clients to end the current authenticated state. Clients should only call it after verifying the Agent advertised `agentCapabilities.auth.logout` during initialization.
+The `logout` method allows Clients to end the current authenticated state. Clients should only call it after verifying the Agent advertised `agentCapabilities.auth.logout` during initialization.
 
 ```json
 {

@@ -155,6 +155,10 @@ The Agent **SHOULD** specify whether it supports the following capabilities:
   included in `session/prompt` requests.
 </ResponseField>
 
+<ResponseField name="auth" type="AgentAuthCapabilities Object">
+  Authentication-related capabilities supported by the Agent.
+</ResponseField>
+
 #### Prompt capabilities
 
 As a baseline, all Agents **MUST** support `ContentBlock::Text` and `ContentBlock::ResourceLink` in `session/prompt` requests.
@@ -186,6 +190,16 @@ Note: This transport has been deprecated by the MCP spec.
 
 </ResponseField>
 
+#### Authentication Capabilities
+
+<ResponseField name="logout" type="LogoutCapabilities Object">
+  The [`logout`](./authentication#logging-out) method is available.
+</ResponseField>
+
+<Card icon="shield-check" horizontal href="./authentication">
+  Learn more about Authentication
+</Card>
+
 #### Session Capabilities
 
 As a baseline, all Agents **MUST** support `session/new`, `session/prompt`, `session/cancel`, and `session/update`.

@@ -84,6 +84,11 @@ Agents are programs that use generative AI to autonomously modify code. They typ
   `loadSession` capability).
 </ResponseField>
 
+<ResponseField name="logout" post={[<a href="./schema#logout">Schema</a>]}>
+  [End the current authenticated state](./authentication#logging-out) (requires
+  `agentCapabilities.auth.logout` capability).
+</ResponseField>
+
 <ResponseField
   name="session/set_mode"
   post={[<a href="./schema#session%2Fset-mode">Schema</a>]}

@@ -339,21 +339,13 @@ The client should disconnect, if it doesn't support this version.
 
 ### <span class="font-mono">logout</span>
 
-**UNSTABLE**
-
-This capability is not part of the spec yet, and may be removed or changed at any point.
-
 Logs out of the current authenticated state.
 
 After a successful logout, all new sessions will require authentication.
 There is no guarantee about the behavior of already running sessions.
 
 #### <span class="font-mono">LogoutRequest</span>
 
-**UNSTABLE**
-
-This capability is not part of the spec yet, and may be removed or changed at any point.
-
 Request parameters for the logout method.
 
 Terminates the current authenticated session.
@@ -373,10 +365,6 @@ See protocol docs: [Extensibility](https://agentclientprotocol.com/protocol/exte
 
 #### <span class="font-mono">LogoutResponse</span>
 
-**UNSTABLE**
-
-This capability is not part of the spec yet, and may be removed or changed at any point.
-
 Response to the `logout` method.
 
 **Type:** Object
@@ -2767,10 +2755,6 @@ See protocol docs: [Extensibility](https://agentclientprotocol.com/protocol/exte
 
 ## <span class="font-mono">AgentAuthCapabilities</span>
 
-**UNSTABLE**
-
-This capability is not part of the spec yet, and may be removed or changed at any point.
-
 Authentication-related capabilities supported by the agent.
 
 **Type:** Object
@@ -2814,11 +2798,7 @@ See protocol docs: [Extensibility](https://agentclientprotocol.com/protocol/exte
 
 </ResponseField>
 <ResponseField name="auth" type={<a href="#agentauthcapabilities">AgentAuthCapabilities</a>} >
-  **UNSTABLE**
-
-This capability is not part of the spec yet, and may be removed or changed at any point.
-
-Authentication-related capabilities supported by the agent.
+  Authentication-related capabilities supported by the agent.
 
     - Default: `{}`
 
@@ -4672,10 +4652,6 @@ Protocol names that do not begin with `_` are reserved for the ACP spec.
 
 ## <span class="font-mono">LogoutCapabilities</span>
 
-**UNSTABLE**
-
-This capability is not part of the spec yet, and may be removed or changed at any point.
-
 Logout capabilities supported by the agent.
 
 By supplying `\{\}` it means that the agent supports the logout method.