Apigee customers can provide API products to customers (app developers) with
a developer portal. This document describes how cookies are used to deliver
this experience for portal users.
Cookies for all visitors
JSESSIONID: A random value that is used to correlate web requests
with sessions.
X-Apigee-CSRF2: Used for all visitors to a site,
but is only populated after a user authenticates. It helps to protect
against cross-site request forgeries.
Additional cookies for authenticated users
portalSession: A JWT session token used to authenticate requests.
It is cleared on logout.
portalRefresh: A JWT refresh token used
to generate a new session token. It is cleared on logout.
Cookies specific to the identity service
SSO_JSESSIONID: Used by the identity service to maintain a logged
in session for the user and to maintain state during login.
route: Used to route a user to an identity instance for their
session.
X-Uaa-Csrf: Used by the identity service to protect against
cross-site request forgeries
Use of reCAPTCHA
reCAPTCHA is used by the identity service to protect against robot actors,
which may utilize additional cookies, including the google.com domain.
See
reCAPTCHA documentation regarding their use of cookies.
The integration with reCAPTCHA generates the recaptcha-ca-t cookie, which is used to
provide security integration and protection against robot actors.
Deprecated Cookies
portalDefaultDomain (deprecated): Was used for portals where the
custom domain was enabled before February 18, 2020. It
determined which domain to send requests to, and it has since been
deprecated. Disabling and re-enabling the custom domain of any portal
will remove it.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-03-21 UTC."],[[["This document outlines the various cookies used by Apigee and Apigee hybrid developer portals to manage user sessions, authentication, and security, with a focus on their purpose and attributes."],["Several cookies, including JSESSIONID and X-Apigee-CSRF2, are utilized for all visitors to correlate web requests with sessions and protect against cross-site request forgeries."],["Authenticated users have additional cookies like portalSession and portalRefresh, which are JWT tokens used for authentication and token refreshing, respectively, and are cleared upon logout."],["The identity service employs cookies such as SSO_JSESSIONID, route, and X-Uaa-Csrf to maintain user login sessions, manage user routing, and prevent cross-site request forgeries."],["reCAPTCHA integration adds a recaptcha-ca-t cookie to enhance security and protect against robot actors, alongside potential cookies from the google.com domain."]]],[]]
