The Prelude Session API uses cookies to manage authentication and verification processes securely. There are two primary types of cookies used by the API:

Refresh Cookies

Cookie Name: __refresh_{app_id}

Refresh cookies are used to maintain user sessions and enable the generation of new access tokens without requiring users to re-authenticate. These cookies are:

  • Sent to the client after successful authentication
  • Used in the /v1/session/refresh endpoint to obtain new access tokens
  • Required for the /v1/session/revoke endpoint when logging out

Verification Cookies

Cookie Name: __verification-login_{app_id}

Verification cookies are used during the authentication process to maintain state between verification steps. These cookies:

  • Store temporary verification state during multi-step authentication flows
  • Are used with the verification endpoints for both phone and email verification
  • Are automatically cleared once the verification process is complete

Both cookie types are designed with security in mind and include appropriate flags for secure transmission and storage.