Learn about the cookies used by the Session API.
The Prelude Session API uses cookies to manage authentication and verification processes securely.
Modern web browsers block third-party cookies by default. To ensure that the cookies necessary for the Session API to work correctly won’t be blocked, you need to set up a custom domain name that is a subdomain of the domain your application is hosted on.
There are two primary types of cookies used by the API:
Cookie Name: __refresh_{app_id}
Refresh cookies are used to maintain user sessions and enable the generation of new access tokens without requiring users to re-authenticate. These cookies are:
/v1/session/refresh
endpoint to obtain new access tokens/v1/session/revoke
endpoint when logging outCookie Name: __verification-login_{app_id}
Verification cookies are used during the authentication process to maintain state between verification steps. These cookies:
Both cookie types are designed with security in mind and include appropriate flags for secure transmission and storage.