Parallel Logout doesn't work

[ricardogomez-dev]

It appears that Parallel Markets stores the user session in both cookies and localStorage. I'm attempting to programmatically clear the session when a user switches investor accounts by calling parallel.logout(). However, this method doesn't fully clear the previous session, which prevents the accreditation process from working correctly for new users.

Currently, only the initial login works as expected. After that, unless cookies and localStorage are manually cleared, login and logout do not behave properly for subsequent users. Obviously, asking hundreds of thousands of investors—many of whom are not technically inclined—to manually clear browser storage is not a practical solution.

I need to know how to fully clear the user session using the Parallel Markets SDK, so that switching accounts works seamlessly without requiring any manual intervention.

[nonrational]

Thank you for the feedback, @ricardogomez-dev!

When a user authenticates via the Parallel JS SDK, an OAuth 2.0 PKCE session is established between your site and Parallel Markets. This session enables secure, scoped access to user data (e.g., via getProfile()). Calling parallel.logout() terminates this OAuth session, preventing further data access and allowing a new user to initiate a fresh session.

However, since the SDK is embedded on a domain other than app.parallelmarkets.com, it does not have access to the user's session cookies. This isolation is enforced by browser security policies and means the SDK cannot fully log a user out of their Parallel Markets account — it can only end the OAuth session between your site and Parallel.

To date, we've taken the position that partners should not authenticate or de-authenticate users on their behalf, whether in an embedded flow or on our main site. That said, our longer-term roadmap includes separating authentication contexts between embedded environments and our main platform. This would allow partners to end authenticated sessions more cleanly (though partners will never be able to initiate authentication on a user's behalf).

We haven’t prioritized this yet, largely because the risk in shared-device environments is mitigated by a few key factors:

1. Short session duration — sessions expire after a maximum of 2 hours.
2. User visibility — the authenticated user's email is displayed, giving others a chance to log out and re-authenticate.
3. Limited data exposure — sensitive information (e.g., Tax IDs, Government IDs) is not readily accessible, even in the user dashboard.

In cases where multiple users are sharing a device, we provide a “Not <email_address>?” link in embedded contexts. This allows users to explicitly end the current session (permissable inside the app.parallelmarkets.com iframe) and switch accounts.