Cookies
Learn about the cookies used by the Session API.
The Prelude Session API uses cookies to manage authentication and verification processes securely.
Modern web browsers block third-party cookies by default. To ensure that the cookies necessary for the Session API to work correctly won’t be blocked, you need to set up a custom domain name that is a subdomain of the domain your application is hosted on.
There are two primary types of cookies used by the API:
Refresh Cookies
Cookie Name: __refresh_{app_id}
Refresh cookies are used to maintain user sessions and enable the generation of new access tokens without requiring users to re-authenticate. These cookies are:
- Sent to the client after successful authentication
- Used in the
/v1/session/refreshendpoint to obtain new access tokens - Required for the
/v1/session/revokeendpoint when logging out
Verification Cookies
Cookie Name: __verification-login_{app_id}
Verification cookies are used during the authentication process to maintain state between verification steps. These cookies:
- Store temporary verification state during multi-step authentication flows
- Are used with the verification endpoints for both phone and email verification
- Are automatically cleared once the verification process is complete
Both cookie types are designed with security in mind and include appropriate flags for secure transmission and storage.