Logout removes long-lived access token when using direct URL — expected behavior?

[Mels-V]

Dear community,

Before opening an issue, I’d like to check whether the behavior I’m seeing is a bug or working as intended.

In my setup, I use Music Assistant with a long-lived access token created via MA Settings → Profile. I then access Music Assistant through Home Assistant using a direct URL like this:
https://192.168.1.1:8095/?code=xxx#/home/?player=kitchen

This works perfectly fine.
However, when I press the Logout button while accessing Music Assistant via this token, the following happens:

• The long-lived access token is removed
• The token also disappears from my profile
• As a result, the URL no longer works

My expectation was that logging out would only end the current session, not invalidate or delete the long-lived access token itself.

So my question is: Is this behavior intentional, or could this be a bug?

Thanks in advance for any clarification or insight!

[OzGav]

@marcelveldt

[marcelveldt]

Yes that is intended behavior and a security design choice. Maybe we need to hide logout if you are enforcing login through an provided (long lived) token?

[Mels-V]

Yes that is intended behavior and a security design choice. Maybe we need to hide logout if you are enforcing login through an provided (long lived) token?

Hi @marcelveldt, I think hiding that button would be a great solution to prevent accidental logout and removing the token when embedding MA using a token! I hope this could be implemented, it would be highly appreciated.

[Mels-V]

Yes that is intended behavior and a security design choice. Maybe we need to hide logout if you are enforcing login through an provided (long lived) token?

Hi @marcelveldt, are there any updates on this? It would be great if we could implement it. Or do I need to make an official feature request?