Cookies
Learn about the cookies used by the Session API.
The Prelude Session API uses cookies to manage authentication and verification processes securely.
Modern web browsers block third-party cookies by default. To ensure that the cookies necessary for the Session API to work correctly won’t be blocked, you need to set up a custom domain name that is a subdomain of the domain your application is hosted on.
There are two primary types of cookies used by the API:
Refresh Cookies
Cookie Name: __refresh_{app_id}
Refresh cookies are used to maintain user sessions and enable the generation of new access tokens without requiring users to re-authenticate. These cookies are:
- Sent to the client after successful authentication
- Used in the
/v1/session/refreshendpoint to obtain new access tokens - Required for the
/v1/session/revokeendpoint when logging out
Verification Cookies
Cookie Name: __verification-login_{app_id}
Verification cookies are used during the authentication process to maintain state between verification steps. These cookies:
- Store temporary verification state during multi-step authentication flows
- Are used with the verification endpoints for both phone and email verification
- Are automatically cleared once the verification process is complete
Both cookie types are designed with security in mind and include appropriate flags for secure transmission and storage.
Cookies
Learn about the cookies used by the Session API.
The Prelude Session API uses cookies to manage authentication and verification processes securely.
Modern web browsers block third-party cookies by default. To ensure that the cookies necessary for the Session API to work correctly won’t be blocked, you need to set up a custom domain name that is a subdomain of the domain your application is hosted on.
There are two primary types of cookies used by the API:
Refresh Cookies
Cookie Name: __refresh_{app_id}
Refresh cookies are used to maintain user sessions and enable the generation of new access tokens without requiring users to re-authenticate. These cookies are:
- Sent to the client after successful authentication
- Used in the
/v1/session/refreshendpoint to obtain new access tokens - Required for the
/v1/session/revokeendpoint when logging out
Verification Cookies
Cookie Name: __verification-login_{app_id}
Verification cookies are used during the authentication process to maintain state between verification steps. These cookies:
- Store temporary verification state during multi-step authentication flows
- Are used with the verification endpoints for both phone and email verification
- Are automatically cleared once the verification process is complete
Both cookie types are designed with security in mind and include appropriate flags for secure transmission and storage.