Curious how others here would represent these in a REST architecture.
/users/login/
/users/logout/
These endpoints set up the session to login in the user, or clear it, respectively. My gut says POST, but I'm not in fact creating an object.
You should use POST - using GET for these actions can lead to issues with browser prefetching and search engine spidering. See (1, 2)