Legal · auth.ng

Cookie Policy

auth.ng uses a small set of strictly-necessary cookies to keep your sign-in secure. We don't use advertising or tracking cookies.

Last updated: July 3, 2026 · A brand of Bolrach Technologies Limited

1. What cookies are

A cookie is a small text file that a website asks your browser to store. It usually holds a short identifier, not the actual data about you, so your browser can prove to the site who you are on the next request. Cookies are how the web remembers you between page loads, since each request to a server would otherwise be a stranger to the last one.

Some sites use cookies to track you across the internet for advertising. That is not what auth.ng does. We use cookies for one job only: keeping you securely signed in.

2. How auth.ng uses cookies

auth.ng is an identity provider. When you sign in to a service that uses auth.ng, we set a small number of strictly-necessary cookies on the id.auth.ng domain to run your session, protect the sign-in form, and remember a device you've trusted before. Every cookie we set exists to make sign-in work or to keep it safe. None of them exist to build an ad profile, and none of them are sold or shared with advertisers.

Because these cookies are essential to the service, we don't show a cookie-consent banner asking you to opt in to them. Regulations that require consent banners generally carve out cookies that are strictly necessary to provide a service you've requested, such as staying logged in, and that's the only category we use.

3. The cookies we set

Here's the full list. There are no others, and we don't plan to add tracking or advertising cookies later without updating this page first.

CookiePurposeLifetime
realm_sessionKeeps you signed in to your auth.ng realm so you're not asked to log in on every request.Session (cleared on logout or browser close)
csrf_tokenConfirms that a form submission or sign-in request actually came from you, not from another site.Session
trusted_deviceRemembers a device you've verified before, so we can skip a repeat verification step on it.30 days, sliding
themeRemembers whether you last viewed auth.ng in light or dark mode.1 year

realm_session and csrf_token are set as HttpOnly and Secure, meaning JavaScript on the page can't read them and they're only ever sent over an encrypted connection.

4. Managing cookies

Your browser lets you view, block, or delete cookies from settings, usually under Privacy or Site Settings. You can also open a private or incognito window, which discards cookies once it's closed.

One honest warning: blocking or deleting the essential cookies above will break sign-in on auth.ng. Without realm_session your browser can't hold a session at all, and without csrf_token the sign-in form will reject its own submissions on purpose, as a security measure. That's expected behavior, not a bug, and it's the tradeoff of a cookie that isn't optional.

5. Third parties

We don't run third-party advertising pixels, ad-network cookies, or general-purpose analytics trackers on the auth.ng sign-in and account surfaces. We keep this surface deliberately narrow because it's where your credentials live. If that ever changes, for example to add privacy-respecting, first-party product analytics, we'll update this page and the cookie table above before it ships, not after.

6. Changes to this policy

We may update this Cookie Policy as auth.ng changes, for instance if we add a new essential cookie for a new sign-in method. Material changes will update the "Last updated" date at the top of this page. This document works alongside our Privacy Policy, Terms of Service, and Data Processing Agreement, and should be read together with them.

7. Contact

Questions about this Cookie Policy or the cookies auth.ng sets can go to [email protected]. For anything account-specific, please use a support ticket rather than email so it reaches the right team. See also our Acceptable Use Policy.

Questions about this document?

auth.ng is a brand of Bolrach Technologies Limited. Contact [email protected]. Support is by ticket and knowledge base.