Apigee customers can provide API products to customers (app developers) with
a developer portal. This document describes how cookies are used to deliver
this experience for portal users.
Cookies for all visitors
JSESSIONID: A random value that is used to correlate web requests
with sessions.
X-Apigee-CSRF2: Used for all visitors to a site,
but is only populated after a user authenticates. It helps to protect
against cross-site request forgeries.
Additional cookies for authenticated users
portalSession: A JWT session token used to authenticate requests.
It is cleared on logout.
portalRefresh: A JWT refresh token used
to generate a new session token. It is cleared on logout.
Cookies specific to the identity service
SSO_JSESSIONID: Used by the identity service to maintain a logged
in session for the user and to maintain state during login.
route: Used to route a user to an identity instance for their
session.
X-Uaa-Csrf: Used by the identity service to protect against
cross-site request forgeries
Use of reCAPTCHA
reCAPTCHA is used by the identity service to protect against robot actors,
which may utilize additional cookies, including the google.com ___domain.
See
reCAPTCHA documentation regarding their use of cookies.
The integration with reCAPTCHA generates the recaptcha-ca-t cookie, which is used to
provide security integration and protection against robot actors.
Deprecated Cookies
portalDefaultDomain (deprecated): Was used for portals where the
custom ___domain was enabled before February 18, 2020. It
determined which ___domain to send requests to, and it has since been
deprecated. Disabling and re-enabling the custom ___domain of any portal
will remove it.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-04 UTC."],[[["This document outlines the various cookies used by Apigee and Apigee hybrid developer portals to manage user sessions, authentication, and security, with a focus on their purpose and attributes."],["Several cookies, including JSESSIONID and X-Apigee-CSRF2, are utilized for all visitors to correlate web requests with sessions and protect against cross-site request forgeries."],["Authenticated users have additional cookies like portalSession and portalRefresh, which are JWT tokens used for authentication and token refreshing, respectively, and are cleared upon logout."],["The identity service employs cookies such as SSO_JSESSIONID, route, and X-Uaa-Csrf to maintain user login sessions, manage user routing, and prevent cross-site request forgeries."],["reCAPTCHA integration adds a recaptcha-ca-t cookie to enhance security and protect against robot actors, alongside potential cookies from the google.com ___domain."]]],[]]
