The Prelude Session API uses cookies to manage authentication and verification processes securely.
Modern web browsers block third-party cookies by default. To ensure that the cookies necessary for the Session API to work correctly won’t be blocked, you need to set up a custom domain name that is a subdomain of the domain your application is hosted on.
There are two primary types of cookies used by the API:

Refresh Cookies

Cookie Name: __refresh_{app_id} Refresh cookies are used to maintain user sessions and enable the generation of new access tokens without requiring users to re-authenticate. These cookies are:
  • Sent to the client after successful authentication
  • Used in the /v1/session/refresh endpoint to obtain new access tokens
  • Required for the /v1/session/revoke endpoint when logging out

Verification Cookies

Cookie Name: __verification-login_{app_id} Verification cookies are used during the authentication process to maintain state between verification steps. These cookies:
  • Store temporary verification state during multi-step authentication flows
  • Are used with the verification endpoints for both phone and email verification
  • Are automatically cleared once the verification process is complete
Both cookie types are designed with security in mind and include appropriate flags for secure transmission and storage.