diff --git a/EnvelopeGenerator.Web/Controllers/TFARegController.cs b/EnvelopeGenerator.Web/Controllers/TFARegController.cs
index 04832945..7f244028 100644
--- a/EnvelopeGenerator.Web/Controllers/TFARegController.cs
+++ b/EnvelopeGenerator.Web/Controllers/TFARegController.cs
@@ -9,11 +9,13 @@ using DigitalData.Core.DTO;
 using EnvelopeGenerator.Application.Extensions;
 using Microsoft.Extensions.Options;
 using Microsoft.AspNetCore.Authorization;
+using static EnvelopeGenerator.Common.Constants;
+using Microsoft.AspNetCore.Authentication.Cookies;
+using Microsoft.AspNetCore.Authentication;
 
 namespace EnvelopeGenerator.Web.Controllers;
 
 //TODO: Add authorization as well as limiting the link duration (intermediate token with different role) or sign it
-[Route("tfa")]
 public class TFARegController : ViewControllerBase
 {
     private readonly IEnvelopeReceiverService _envRcvService;
@@ -29,8 +31,9 @@ public class TFARegController : ViewControllerBase
         _params = tfaRegParamsOptions.Value;
     }
 
+    //TODO: move under auth route
     [Authorize]
-    [HttpGet("{envelopeReceiverId}")]
+    [HttpGet("tfa/{envelopeReceiverId}")]
     public async Task<IActionResult> Reg(string envelopeReceiverId)
     {
         try
@@ -84,4 +87,20 @@ public class TFARegController : ViewControllerBase
             return this.ViewInnerServiceError();
         }
     }
+
+    [Authorize(Roles = ReceiverRole.FullyAuth)]
+    [HttpPost("auth/logout")]
+    public async Task<IActionResult> LogOut()
+    {
+        try
+        {
+            await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
+            return Ok();
+        }
+        catch(Exception ex)
+        {
+            _logger.LogError(ex, "{message}", ex.Message);
+            return this.ViewInnerServiceError();
+        }
+    }
 }
\ No newline at end of file