JWT Session Authentication
The Backend service uses JSON Web Tokens (JWT) for session authentication.
When a user has successfully logged in (e.g. through SSO or magic link), the Admin service sets two cookies:
access_token_cookieβ Contains the access token JWT. Valid for a short period (currently 15 minutes).refresh_token_cookieβ Contains a refresh token JWT. Valid for a longer period (currently 24 hours). The cookie path is set to the/auth/refreshendpoint, so it is only sent with requests to that path.SameSite=Noneβ Required so cookies can be set and sent in cross-site contexts (e.g. when the widget runs on platform domains).
When the access token expires, the frontend calls the /auth/refresh endpoint, which issues a new access token and sets an updated cookie.
When the refresh token expires, the user must log in again.
Cookie attributesβ
The cookies are set with:
HttpOnlyβ Prevents the token from being read by JavaScript (reduces XSS risk).Secureβ Ensures the token is only sent over HTTPS.
Login flowsβ
For the full login flow (SSO, magic link, access requests), see the Authentication overview.
For platform-supplied JWT (e.g. Tracebuzz using a shared secret), see Shared Secret JWT (Tracebuzz). For outbound links from desktop apps (e.g. Genesys WDE), see Exchange tokens (Genesys WDE).