Work With Shared Cookies

Doc type: Explanation

Cookie names and purpose

The hosted auth portal sets the following HttpOnly cookies scoped to .yoyogroup.com. The cookie prefix varies by environment:

• Production: yoyo_auth_

• Integration: yoyo_auth_int_

• ${AUTH_COOKIE_PREFIX}access_token (primary session token)

• ${AUTH_COOKIE_PREFIX}id_token (identity claims)

• ${AUTH_COOKIE_PREFIX}refresh_token (optional refresh token)

Cookie behavior

• Access and ID token cookies use the token expiresIn value (default 3600 seconds).
• Refresh tokens expire on a longer schedule than access and ID tokens.
• Cookies are HttpOnly, Secure, and use SameSite=lax by default.

Read cookies server-side

Because the cookies are HttpOnly, read them only in server components, route handlers, or middleware.

const accessToken = cookies().get('yoyo_auth_access_token')?.value;

Local development notes

• Cookies are only shared across *.yoyogroup.com subdomains.
• For local development with shared cookies, use a staging or development subdomain so the shared cookies are available (for example dev-app.int.yoyogroup.com).
• If you must run on localhost, use the OAuth code flow instead of shared cookies. See Local development quickstart.

Related tasks

• Build A BFF/Proxy
• Cookie Scope And SameSite Behavior
• GET /logout