Hosted Login Pages Cookies


Cookies are a critical part of web applications.

When you call certain APIs, such as the Login API, cookies may be set. Such cookies are specified in the API documentation.

When you use the hosted login pages, FusionAuth uses cookies to enable functionality.


The domain of all cookies is the domain on which the FusionAuth instance is running. You can control the domain FusionAuth uses by setting up a proxy.

In other words, if FusionAuth serves requests at, it will only set cookies for this value: It will never set cookies for The ability to control the domain of the cookie set is an open feature request.

Cookies set by the hosted login pages are displayed here for informational purposes only. The name, type and description of each cookie are subject to change.

Hosted Login Page Cookies

fusionauth.flash-messageRequestUsed to display a message across requests.
fusionauth.known-device.*PersistentIdentifies a device known to FusionAuth. More than one cookie may be set.
fusionauth.localePersistentThe locale used to localize the themed pages.
fusionauth.pkce-verifierRequestUsed to support Proof Key for Code Exchange during login.
fusionauth.remember-devicePersistentRecords if the user wants to remain logged in on this device.
fusionauth.ssoPersistentRepresents a single sign-on session.
fusionauth.timezonePersistentThe configured or approximated timezone used to adjust displayed dates and times.
fusionauth.trusted-device.*PersistentIdentifies a trusted device. More than one cookie may be set.
fusionauth.trust_cRequestImplements security functionality.
fusionauth.trust_tRequestImplements security functionality.
fusionauth.trustPersistentAllows a 2FA challenge to be bypassed during login.
fusionauth.webauthn-reauth.*PersistentRecords user choices about WebAuthn and passkeys.