You're viewing Apigee Edge documentation.
Go to the Apigee X documentation.


Apigee customers can provide API products to customers (app developers) with a developer portal. This document describes how cookies are used to deliver this experience for portal users (this document does not include information about un-upgraded legacy portals).

Cookies for all visitors

  • JSESSIONID: A random value that is used to correlate web requests with sessions.
  • X-Apigee-CSRF2: Used for all visitors to a site, but is only populated after a user authenticates. It helps to protect against cross-site request forgeries.

Additional cookies for authenticated users

  • portalSession: A JWT session token used to authenticate requests. It is cleared on logout.
  • portalRefresh: A JWT refresh token used to generate a new session token. It is cleared on logout.

Cookies specific to the identity service

  • SSO_JSESSIONID: Used by the identity service to maintain a logged in session for the user and to maintain state during login.
  • route: Used to route a user to an identity instance for their session.
  • X-Uaa-Csrf: Used by the identity service to protect against cross-site request forgeries

Use of reCAPTCHA

reCAPTCHA is used by the identity service to protect against robot actors, which may utilize additional cookies, including the domain. See reCAPTCHA documentation regarding their use of cookies.

Deprecated Cookies

  • portalDefaultDomain (deprecated): Was used for portals where the custom domain was enabled before February 18, 2020. It determined which domain to send requests to, and it has since been deprecated. Disabling and re-enabling the custom domain of any portal will remove it.