Sessions, cookies, and tokens · Intastellar Help

Think in three layers: Intastellar-hosted (login UI), your site’s origin (SDK or your session), and your backend (opaque sessions, verification).

On your site’s origin

When you use @intastellar/signin-sdk-react or a vanilla flow that mirrors it, sign-in may set first-party cookies so the browser remembers the user. Exact names and rules are defined by the SDK and Intastellar’s technical reference (npm readme, Plain HTML, CSS, and JavaScript) — do not assume they match another project.

Treat those cookies as SDK-managed unless Intastellar documents otherwise.

Opaque session id in an HttpOnly, Secure cookie, with SameSite suited to your topology.
Server-side store mapping that id to user id, expiry, and refresh handling.
Create or refresh that session only after your server trusts the sign-in outcome (token validation per your technical reference or runbook).

See Intastellar Sign-In — React and JavaScript for a high-level “optional server session” pattern using example URLs only.

On Intastellar-controlled hosts

While the user signs in at Intastellar, the identity host may set its own cookies (SSO, session). Those are not readable from your origin’s JavaScript. Rely on tokens, your session, or the SDK, not on reading IdP cookies cross-site.

ID token vs access token

When you use OAuth-style token responses (manual code flow):

ID token — JWT about the authentication event; validate iss, aud, exp, signature (and nonce if used).
Access token — call APIs; treat as opaque unless you need to parse it.

SPAs and JavaScript clients — PKCE and when not to use a secret in the browser.
Server-side (confidential) clients — code exchange without exposing secrets.

Last updated Apr 7, 2026

On your site’s origin

On Intastellar-controlled hosts

ID token vs access token

Logout

Frequently asked questions

Can we read Intastellar’s cookies from JavaScript?

Next