diff --git a/server.py b/server.py
index 2276675..4646d0d 100644
--- a/server.py
+++ b/server.py
@@ -543,17 +543,18 @@ async def logout(request: Request):
         expires_at = datetime.fromtimestamp(claims.get("exp", 0), tz=timezone.utc)
         await db.revoke_token(token_hash, username, expires_at)
 
-        # Revoke token on all attached L1 renderers
+        # Revoke ALL tokens for this user on attached L1 renderers
+        # (L1 may have scoped tokens different from L2's token)
         attached = await db.get_user_renderers(username)
         for l1_url in attached:
             try:
                 requests.post(
-                    f"{l1_url}/auth/revoke",
-                    headers={"Authorization": f"Bearer {token}"},
+                    f"{l1_url}/auth/revoke-user",
+                    json={"username": username, "l2_server": f"https://{DOMAIN}"},
                     timeout=5
                 )
             except Exception as e:
-                logger.warning(f"Failed to revoke token on {l1_url}: {e}")
+                logger.warning(f"Failed to revoke user tokens on {l1_url}: {e}")
 
         # Remove all attachments for this user
         for l1_url in attached: