Authentication API Cookies

The Auth0 Authentication API uses a set of HTTP cookies to enable single sign-on (SSO), multi-factor authentication (MFA), and attack protection capabilities. The table below shows some of the cookies that the Authentication API relies on and describes their purposes:

Cookie Feature Purpose
auth0 Single Sign-on Used to implement the Auth0 session layer.
auth0_compat Single Sign-on Fallback cookie for single sign-on on browsers that don’t support the sameSite=None attribute.
auth0-mf Multi-factor Authentication Used to establish the trust level for a given device.
auth0-mf_compat Multi-factor Authentication Fallback cookie for multi-factor authentication on browsers that don’t support the sameSite=None attribute.
a0_users:sess Classic Universal Login Used for CSRF protection in Classic Universal Login flows.
a0_users:sess.sig Classic Universal Login Used for CSRF protection in Classic Universal Login flows.
did Attack Protection Device identification for attack protection.
did_compat Attack Protection Fallback cookie for anomaly detection on browsers that don’t support the sameSite=None attribute.

Cookies and custom domains

If you are using custom domains, cookies from the Authentication API are sent to the custom host name, or CNAME you set up in the Auth0 Dashboard. Each cookie's domain attribute, which specifies the domain for which the cookie is valid, is defined in the cookie request header and domain-matches with the domain attribute.

If no domain is specified, the domain attribute defaults to the request-host. If you use IETF’s HTTP State Management Mechanism spec to set cookies on the parent domain, the cookie will be shared with all subdomains of the parent domain.

For example, you set your CNAME to login.example_domain.com as a subdomain of example_domain.com. You host other applications under the parent domain, such as app1.example_domain.com and app2.example_domain.com. When users visit login.example_domain.com, cookies from app1.example_domain.com and app2.example_domain.com may be sent along with requests to Auth0’s Authentication API.

To safeguard our platform and because these cookies may grow to a considerable size and can be shared with other subdomains, Auth0 may reject requests carrying excessively large (multiple kilobytes) headers. Applications should be designed such that excessively large cookies are not sent to the Auth0 Authentication API. To learn more about cookie behavior with custom domains, read Sending Cookies to the Origin Server.

Learn more