Authentication API Cookies

The Auth0 Authentication API uses a set of HTTP cookies to enable Single Sign-On (SSO), Multi-factor Authentication, and Attack Protection capabilities. The following is a non-exhaustive list of cookies that the Authentication API relies on and a description of their respective purpose:

Cookie Feature Purpose
auth0 Single Sign On Used to implement the Auth0 Session Layer.
auth0_compat Single Sign On Fallback cookie for Single Sign On on browsers that don’t support the sameSite=None attribute.
auth0-mf Multi-factor Authentication Used to establish the trust level for a given device.
auth0-mf_compat Multi-factor Authentication Fallback cookie for Multi-factor Authentication on browsers that don’t support the sameSite=None attribute.
did Attack Protection Device identification for the purposes of Attack Protection.
did_compat Anomaly Detection Fallback cookie for Anomaly Detection on browsers that don’t support the sameSite=None attribute.

Auth0 does not support scenarios in which the noted Authentication cookies are modified in any way, including the addition, modification, or removal of cookie attributes, whether through non-standard browsers, browser add-ons, or HTTP proxies.

Cookies and custom domains

When using Custom Domains, the Authentication API cookies are sent to your custom domain, such as login.northwind.com, where northwind.com is a domain that you control. However, other web applications hosted under your domain, such as App1, may send cookies to northwind.com instead of app1.northwind.com, and these cookies will be sent along with requests to the Auth0 Authentication API, which is undesirable both from a privacy and performance point of view.

To safeguard our platform and because these cookies may grow to a considerable size, Auth0 may reject requests carrying excessively large (multiple kilobytes) headers. Applications should be architected such that excessively large cookies are not sent to the Auth0 Authentication API.

Learn more