> ## Documentation Index
> Fetch the complete documentation index at: https://docs-dev-actions-triggers-prototype.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.
> Learn about Authentication API cookies, including what they are, what they are used for, and how they should be handled.
# Authentication API Cookies
The Auth0 Authentication API uses a set of HTTP cookies to enable [single sign-on (SSO)](/docs/authenticate/single-sign-on), [multi-factor authentication (MFA)](/docs/secure/multi-factor-authentication), and [attack protection](/docs/secure/attack-protection) capabilities. The table below shows some of the cookies that the Authentication API relies on and describes their purposes:
| **Cookie** | **Feature** | **Purpose** |
| ------------------- | --------------------------- | ------------------------------------------------------------------------------------------------------------- |
| `auth0` | Single Sign-on | Used to implement the [Auth0 session layer](/docs/manage-users/sessions/session-layers). |
| `auth0_compat` | Single Sign-on | Fallback cookie for single sign-on on browsers that don’t support the `sameSite=None` attribute. |
| `auth0-mf` | Multi-factor Authentication | Used to establish the trust level for a given device. |
| `auth0-mf_compat` | Multi-factor Authentication | Fallback cookie for multi-factor authentication on browsers that don’t support the `sameSite=None` attribute. |
| `a0_users:sess` | Classic Login | Used for CSRF protection in Classic Login flows. |
| `a0_users:sess.sig` | Classic Login | Used for CSRF protection in Classic Login flows. |
| `did` | Attack Protection | Device identification for attack protection. |
| `did_compat` | Attack Protection | Fallback cookie for anomaly detection on browsers that don’t support the `sameSite=None` attribute. |
Auth0 does not support scenarios in which the noted Authentication cookies are modified in any way, including the addition, modification, or removal of cookie attributes, whether through non-standard browsers, browser add-ons, or HTTP proxies.
## Cookies and custom domains
If you are using [custom domains](/docs/customize/custom-domains), cookies from the Authentication API are sent to the custom host name, or CNAME you set up in the Auth0 Dashboard. Each cookie's domain attribute, which specifies the domain for which the cookie is valid, is defined in the cookie request header and domain-matches with the domain attribute.
If no domain is specified, the domain attribute defaults to the request-host. If you use IETF’s [HTTP State Management Mechanism](https://datatracker.ietf.org/doc/html/rfc2109#section-2) spec to set cookies on the parent domain, the cookie will be shared with all subdomains of the parent domain.
For example, you set your CNAME to `login.example_domain.com` as a subdomain of `example_domain.com`. You host other applications under the parent domain, such as `app1.example_domain.com` and `app2.example_domain.com`. When users visit `login.example_domain.com`, cookies from `app1.example_domain.com` and `app2.example_domain.com` may be sent along with requests to Auth0’s Authentication API.
To safeguard our platform and because these cookies may grow to a considerable size and can be shared with other subdomains, Auth0 may reject requests carrying excessively large (multiple kilobytes) headers. Applications should be designed such that excessively large cookies are not sent to the Auth0 Authentication API. To learn more about cookie behavior with custom domains, read [Sending Cookies to the Origin Server](https://datatracker.ietf.org/doc/html/rfc2109#section-4.3.4).
## Learn more
* [SameSite Cookie Attribute Changes](/docs/manage-users/cookies/samesite-cookie-attribute-changes)