diff --git a/changes/issue-10798-unauthd-logout-return-401 b/changes/issue-10798-unauthd-logout-return-401
new file mode 100644
index 0000000000..8bced6c796
--- /dev/null
+++ b/changes/issue-10798-unauthd-logout-return-401
@@ -0,0 +1 @@
+* Fix `/api/_version/fleet/logout` to return HTTP 401 if unauthorized.
diff --git a/server/service/integration_core_test.go b/server/service/integration_core_test.go
index 76b4f906e4..7fdfbf3ae6 100644
--- a/server/service/integration_core_test.go
+++ b/server/service/integration_core_test.go
@@ -3329,7 +3329,7 @@ func (s *integrationTestSuite) TestUsers() {
 	s.DoJSON("POST", "/api/latest/fleet/logout", nil, http.StatusOK, &logoutResp)
 
 	// logout again, even though not logged in
-	s.DoJSON("POST", "/api/latest/fleet/logout", nil, http.StatusInternalServerError, &logoutResp) // TODO: should be OK even if not logged in, see #4406.
+	s.DoJSON("POST", "/api/latest/fleet/logout", nil, http.StatusUnauthorized, &logoutResp)
 
 	s.token = s.getTestAdminToken()
 
diff --git a/server/service/sessions.go b/server/service/sessions.go
index cabbb14780..7b0a94319c 100644
--- a/server/service/sessions.go
+++ b/server/service/sessions.go
@@ -232,14 +232,13 @@ func (svc *Service) Logout(ctx context.Context) error {
 
 	logging.WithLevel(ctx, level.Info)
 
-	// TODO: this should not return an error if the user wasn't logged in
 	return svc.DestroySession(ctx)
 }
 
 func (svc *Service) DestroySession(ctx context.Context) error {
 	vc, ok := viewer.FromContext(ctx)
 	if !ok {
-		return fleet.ErrNoContext
+		return fleet.NewAuthRequiredError(fleet.ErrNoContext.Error())
 	}
 
 	session, err := svc.ds.SessionByID(ctx, vc.SessionID())