diff --git a/server.py b/server.py
index b183da3..09dfb21 100644
--- a/server.py
+++ b/server.py
@@ -531,8 +531,28 @@ async def ui_register_submit(request: Request):
 
 
 @app.get("/logout")
-async def logout():
-    """Handle logout - clear cookie and redirect to home."""
+async def logout(request: Request):
+    """Handle logout - clear cookie, revoke token on attached L1s, and redirect to home."""
+    token = request.cookies.get("auth_token")
+    username = verify_token(token) if token else None
+
+    # Revoke token on all attached L1 renderers
+    if username and token:
+        attached = await db.get_user_renderers(username)
+        for l1_url in attached:
+            try:
+                requests.post(
+                    f"{l1_url}/auth/revoke",
+                    headers={"Authorization": f"Bearer {token}"},
+                    timeout=5
+                )
+            except Exception as e:
+                logger.warning(f"Failed to revoke token on {l1_url}: {e}")
+
+        # Remove all attachments for this user
+        for l1_url in attached:
+            await db.detach_renderer(username, l1_url)
+
     response = RedirectResponse(url="/", status_code=302)
     # Delete both legacy (no domain) and new (shared domain) cookies
     response.delete_cookie("auth_token")