CSRF & cookies
CSRF
Browser flows use a double-submit cookie pattern (Auth.js compatible):
curl -c jar.txt https://app.example.com/auth/csrf
# → { "csrfToken": "..." }
curl -b jar.txt -X POST https://app.example.com/auth/signout \
-d "csrfToken=..."
GET /auth/csrf sets goauth.csrf-token and returns the token for forms.
Token flow exemption
When clients use X-Auth-Flow: token, CSRF is not required for sign-in — no ambient session cookie is sent cross-site.
Session cookies
| Cookie | Purpose |
|---|---|
| Session token | Database or JWT strategy |
| CSRF | Double-submit |
| PKCE / OAuth state | Short-lived OAuth helpers |
goauth.trusted-device | MFA device trust |
callbackUrl | Post-login redirect |
Configure names and attributes via Config.Cookies.
Secure defaults
When Config.URL uses https://, cookies default to Secure and appropriate SameSite values.