diff --git a/app/Http/Controllers/Api/AuthController.php b/app/Http/Controllers/Api/AuthController.php
index d387fb0..0862b2b 100644
--- a/app/Http/Controllers/Api/AuthController.php
+++ b/app/Http/Controllers/Api/AuthController.php
@@ -8,7 +8,7 @@ use Illuminate\Http\JsonResponse;
 use Illuminate\Http\Request;
 use Illuminate\Support\Facades\Auth;
 use Illuminate\Validation\Rules\Password;
-use Laravel\Sanctum\PersonalAccessToken;
+use Laravel\Sanctum\TransientToken;
 
 class AuthController extends Controller
 {
@@ -46,9 +46,15 @@ class AuthController extends Controller
 
     public function logout(Request $request): JsonResponse
     {
-        /** @var PersonalAccessToken $token */
         $token = $request->user()->currentAccessToken();
-        $token->delete();
+
+        // TransientToken means session-based auth (no Bearer token) — invalidate session instead
+        if ($token instanceof TransientToken) {
+            $request->session()->invalidate();
+            $request->session()->regenerateToken();
+        } else {
+            $token->delete();
+        }
 
         return response()->json(['message' => 'Logged out.']);
     }