For an api call to log out
Xero is alive for 30 minutes. For a scenario if a user successfuuly logs in by an application and logs out from the app. Another user comes in with same app and log in and try to connect to xero, he will be in the previous users account.
Thus for every "connect to xero" if there is an api to log out of the user then for every "connect to xero" the user should give their login credentials to avoid this situtation
It sounds like you may not understand fully how our various application types work (http://developer.xero.com/documentation/getting-started/api-application-types/) feel free to ask in the developer community if you are still stuck: https://community.xero.com/developer/