The Prelude Session API uses cookies to manage authentication and verification processes securely.

Modern web browsers block third-party cookies by default. To ensure that the cookies necessary for the Session API to work correctly won’t be blocked, you need to set up a custom domain name that is a subdomain of the domain your application is hosted on.

There are two primary types of cookies used by the API:

Refresh Cookies

Cookie Name: __refresh_{app_id}

Refresh cookies are used to maintain user sessions and enable the generation of new access tokens without requiring users to re-authenticate. These cookies are:

  • Sent to the client after successful authentication
  • Used in the /v1/session/refresh endpoint to obtain new access tokens
  • Required for the /v1/session/revoke endpoint when logging out

Verification Cookies

Cookie Name: __verification-login_{app_id}

Verification cookies are used during the authentication process to maintain state between verification steps. These cookies:

  • Store temporary verification state during multi-step authentication flows
  • Are used with the verification endpoints for both phone and email verification
  • Are automatically cleared once the verification process is complete

Both cookie types are designed with security in mind and include appropriate flags for secure transmission and storage.

The Prelude Session API uses cookies to manage authentication and verification processes securely.

Modern web browsers block third-party cookies by default. To ensure that the cookies necessary for the Session API to work correctly won’t be blocked, you need to set up a custom domain name that is a subdomain of the domain your application is hosted on.

There are two primary types of cookies used by the API:

Refresh Cookies

Cookie Name: __refresh_{app_id}

Refresh cookies are used to maintain user sessions and enable the generation of new access tokens without requiring users to re-authenticate. These cookies are:

  • Sent to the client after successful authentication
  • Used in the /v1/session/refresh endpoint to obtain new access tokens
  • Required for the /v1/session/revoke endpoint when logging out

Verification Cookies

Cookie Name: __verification-login_{app_id}

Verification cookies are used during the authentication process to maintain state between verification steps. These cookies:

  • Store temporary verification state during multi-step authentication flows
  • Are used with the verification endpoints for both phone and email verification
  • Are automatically cleared once the verification process is complete

Both cookie types are designed with security in mind and include appropriate flags for secure transmission and storage.