[{"data":1,"prerenderedAt":3949},["ShallowReactive",2],{"navLinks":3,"sidebar_docs_navigation_\u002Fdocs\u002Fiam":64,"navigation":257,"navLinks_footer":837,"\u002Fdocs\u002Fiam\u002Fessentials\u002Fcookies_page":850,"\u002Fdocs\u002Fiam\u002Fessentials\u002Fcookies_surround":2601,"\u002Fdocs\u002Fiam\u002Fessentials\u002Fcookies":2604},{"id":4,"extension":5,"links":6,"meta":61,"stem":62,"__hash__":63},"navigationMenu\u002Fnavigation.json","json",[7,52,57],{"nested":8,"label":9,"icon":10,"to":11,"children":12},true,"Docs","i-lucide-book-open","\u002Fdocs\u002Fgetting-started",[13,19,26,32,39,45],{"label":14,"icon":15,"to":11,"description":16,"github":17,"badge":18},"Getting Started","i-lucide-rocket","An introduction to help you understand the core components.","https:\u002F\u002Fgithub.com\u002FSergo706\u002Fdocshub","Start Here",{"label":20,"icon":21,"to":22,"description":23,"github":24,"badge":25},"Auth H3 Client","i-lucide-key-round","\u002Fdocs\u002Fauth-h3client","Seamlessly enforce OAuth 2.0 authentication and session management integrated directly as the client of the IAM module.","https:\u002F\u002Fgithub.com\u002FSergo706\u002Fauth-h3client","Core",{"label":27,"icon":28,"to":29,"description":30,"github":31,"badge":25},"IAM","i-lucide-shield-check","\u002Fdocs\u002Fiam","Identity and Access Management featuring granular roles, permissions, and security policies.","https:\u002F\u002Fgithub.com\u002FSergo706\u002Fauth",{"label":33,"icon":34,"to":35,"description":36,"github":37,"badge":38},"Bot Detection","i-lucide-cpu","\u002Fdocs\u002Fbot-detection","Advanced behavioral analysis and request fingerprinting to stop malicious automated traffic.","https:\u002F\u002Fgithub.com\u002FSergo706\u002Fbot-detector","Security",{"label":40,"icon":41,"to":42,"description":43,"github":44,"badge":38},"Shield Base","i-lucide-database-zap","\u002Fdocs\u002Fshield-base","CLI and programmatic toolkit for compiling offline-ready IP intelligence databases from BGP, GeoIP, Tor, FireHOL, and other public threat feeds.","https:\u002F\u002Fgithub.com\u002FSergo706\u002Fshield-base-cli",{"label":46,"icon":47,"to":48,"description":49,"github":50,"badge":51},"Utils","i-lucide-wrench","\u002Fdocs\u002Futils","A standard library of highly optimized helpers for formatting, validation, and core logic.","https:\u002F\u002Fgithub.com\u002FSergo706\u002Futils","Library",{"nested":53,"label":54,"icon":55,"to":56},false,"Blog","i-lucide-pen-line","\u002Fblog",{"nested":53,"label":58,"icon":59,"to":60},"Website","lucide:app-window-mac","https:\u002F\u002Friavzon.com",{},"navigation","gkaQ0xRGxSLrLyM3kttLe0oBwkrR1EBjlepF8LSbwF8",[65],{"title":9,"path":66,"stem":67,"children":68,"page":53},"\u002Fdocs","docs",[69],{"title":27,"path":29,"stem":70,"children":71},"docs\u002Fiam\u002Findex",[72,73,76,216,219,236,240],{"title":27,"path":29,"stem":70},{"title":14,"path":74,"stem":75},"\u002Fdocs\u002Fiam\u002Fgetting-started","docs\u002Fiam\u002F00.getting-started",{"title":77,"path":78,"stem":79,"children":80},"Essentials","\u002Fdocs\u002Fiam\u002Fessentials","docs\u002Fiam\u002F01.essentials\u002Findex",[81,82,86,90,94,98,102,106,110,114,118,122,126,130,134,138,142,146,150,154,158,162,166],{"title":77,"path":78,"stem":79},{"title":83,"path":84,"stem":85},"Tokens","\u002Fdocs\u002Fiam\u002Fessentials\u002Ftokens","docs\u002Fiam\u002F01.essentials\u002F00.tokens",{"title":87,"path":88,"stem":89},"Access Tokens","\u002Fdocs\u002Fiam\u002Fessentials\u002Faccess-tokens","docs\u002Fiam\u002F01.essentials\u002F01.access-tokens",{"title":91,"path":92,"stem":93},"Refresh Tokens","\u002Fdocs\u002Fiam\u002Fessentials\u002Frefresh-tokens","docs\u002Fiam\u002F01.essentials\u002F02.refresh-tokens",{"title":95,"path":96,"stem":97},"Anomaly Detection","\u002Fdocs\u002Fiam\u002Fessentials\u002Fanomalies","docs\u002Fiam\u002F01.essentials\u002F03.anomalies",{"title":99,"path":100,"stem":101},"Signup","\u002Fdocs\u002Fiam\u002Fessentials\u002Fsignup","docs\u002Fiam\u002F01.essentials\u002F04.signup",{"title":103,"path":104,"stem":105},"Login","\u002Fdocs\u002Fiam\u002Fessentials\u002Flogin","docs\u002Fiam\u002F01.essentials\u002F05.login",{"title":107,"path":108,"stem":109},"Logout","\u002Fdocs\u002Fiam\u002Fessentials\u002Flogout","docs\u002Fiam\u002F01.essentials\u002F06.logout",{"title":111,"path":112,"stem":113},"OAuth","\u002Fdocs\u002Fiam\u002Fessentials\u002Foauth","docs\u002Fiam\u002F01.essentials\u002F07.oauth",{"title":115,"path":116,"stem":117},"Magic Links","\u002Fdocs\u002Fiam\u002Fessentials\u002Fmagic-links","docs\u002Fiam\u002F01.essentials\u002F08.magic-links",{"title":119,"path":120,"stem":121},"Emails","\u002Fdocs\u002Fiam\u002Fessentials\u002Femails","docs\u002Fiam\u002F01.essentials\u002F09.emails",{"title":123,"path":124,"stem":125},"MFA","\u002Fdocs\u002Fiam\u002Fessentials\u002Fmfa","docs\u002Fiam\u002F01.essentials\u002F10.mfa",{"title":127,"path":128,"stem":129},"Fingerprinting","\u002Fdocs\u002Fiam\u002Fessentials\u002Ffingerprinting","docs\u002Fiam\u002F01.essentials\u002F11.fingerprinting",{"title":131,"path":132,"stem":133},"Backend for Frontend","\u002Fdocs\u002Fiam\u002Fessentials\u002Fbff","docs\u002Fiam\u002F01.essentials\u002F12.bff",{"title":135,"path":136,"stem":137},"HMAC Authentication","\u002Fdocs\u002Fiam\u002Fessentials\u002Fhmac","docs\u002Fiam\u002F01.essentials\u002F13.hmac",{"title":139,"path":140,"stem":141},"XSS Protection","\u002Fdocs\u002Fiam\u002Fessentials\u002Fxss","docs\u002Fiam\u002F01.essentials\u002F14.xss",{"title":143,"path":144,"stem":145},"Logging","\u002Fdocs\u002Fiam\u002Fessentials\u002Flogging","docs\u002Fiam\u002F01.essentials\u002F15.logging",{"title":147,"path":148,"stem":149},"Rate Limiting","\u002Fdocs\u002Fiam\u002Fessentials\u002Frate-limiting","docs\u002Fiam\u002F01.essentials\u002F16.rate-limiting",{"title":151,"path":152,"stem":153},"Database","\u002Fdocs\u002Fiam\u002Fessentials\u002Fdatabase","docs\u002Fiam\u002F01.essentials\u002F17.database",{"title":155,"path":156,"stem":157},"Cookies","\u002Fdocs\u002Fiam\u002Fessentials\u002Fcookies","docs\u002Fiam\u002F01.essentials\u002F18.cookies",{"title":159,"path":160,"stem":161},"Service Startup","\u002Fdocs\u002Fiam\u002Fessentials\u002Fservice","docs\u002Fiam\u002F01.essentials\u002F19.service",{"title":163,"path":164,"stem":165},"Password Reset","\u002Fdocs\u002Fiam\u002Fessentials\u002Fpassword-reset","docs\u002Fiam\u002F01.essentials\u002F20.password-reset",{"title":167,"path":168,"stem":169,"children":170},"API Tokens","\u002Fdocs\u002Fiam\u002Fessentials\u002Fapi","docs\u002Fiam\u002F01.essentials\u002F21.api\u002Findex",[171,172,176,180,210,213],{"title":167,"path":168,"stem":169},{"title":173,"path":174,"stem":175},"Creating Tokens","\u002Fdocs\u002Fiam\u002Fessentials\u002Fapi\u002Fcreation","docs\u002Fiam\u002F01.essentials\u002F21.api\u002F00.creation",{"title":177,"path":178,"stem":179},"Verifying Tokens","\u002Fdocs\u002Fiam\u002Fessentials\u002Fapi\u002Fverification","docs\u002Fiam\u002F01.essentials\u002F21.api\u002F01.verification",{"title":181,"path":182,"stem":183,"children":184},"Manage Tokens","\u002Fdocs\u002Fiam\u002Fessentials\u002Fapi\u002Fmanagement","docs\u002Fiam\u002F01.essentials\u002F21.api\u002F02.management\u002Findex",[185,186,190,194,198,202,206],{"title":181,"path":182,"stem":183},{"title":187,"path":188,"stem":189},"Privileges","\u002Fdocs\u002Fiam\u002Fessentials\u002Fapi\u002Fmanagement\u002Fprivilege","docs\u002Fiam\u002F01.essentials\u002F21.api\u002F02.management\u002F00.privilege",{"title":191,"path":192,"stem":193},"Revocation","\u002Fdocs\u002Fiam\u002Fessentials\u002Fapi\u002Fmanagement\u002Frevocation","docs\u002Fiam\u002F01.essentials\u002F21.api\u002F02.management\u002F01.revocation",{"title":195,"path":196,"stem":197},"Rotation","\u002Fdocs\u002Fiam\u002Fessentials\u002Fapi\u002Fmanagement\u002Frotation","docs\u002Fiam\u002F01.essentials\u002F21.api\u002F02.management\u002F02.rotation",{"title":199,"path":200,"stem":201},"IP Restriction","\u002Fdocs\u002Fiam\u002Fessentials\u002Fapi\u002Fmanagement\u002Fip-updates","docs\u002Fiam\u002F01.essentials\u002F21.api\u002F02.management\u002F03.ip-updates",{"title":203,"path":204,"stem":205},"Metadata","\u002Fdocs\u002Fiam\u002Fessentials\u002Fapi\u002Fmanagement\u002Fmetadata","docs\u002Fiam\u002F01.essentials\u002F21.api\u002F02.management\u002F04.metadata",{"title":207,"path":208,"stem":209},"Token Listing","\u002Fdocs\u002Fiam\u002Fessentials\u002Fapi\u002Fmanagement\u002Flist","docs\u002Fiam\u002F01.essentials\u002F21.api\u002F02.management\u002F05.list",{"title":147,"path":211,"stem":212},"\u002Fdocs\u002Fiam\u002Fessentials\u002Fapi\u002Frate-limiting","docs\u002Fiam\u002F01.essentials\u002F21.api\u002F03.rate-limiting",{"title":38,"path":214,"stem":215},"\u002Fdocs\u002Fiam\u002Fessentials\u002Fapi\u002Fsecurity","docs\u002Fiam\u002F01.essentials\u002F21.api\u002F04.security",{"title":38,"path":217,"stem":218},"\u002Fdocs\u002Fiam\u002Fsecurity","docs\u002Fiam\u002F02.security",{"title":220,"path":221,"stem":222,"children":223,"page":53},"Guides","\u002Fdocs\u002Fiam\u002Fguides","docs\u002Fiam\u002F03.guides",[224,228,232],{"title":225,"path":226,"stem":227},"Deployment","\u002Fdocs\u002Fiam\u002Fguides\u002Fdeployment","docs\u002Fiam\u002F03.guides\u002Fdeployment",{"title":229,"path":230,"stem":231},"Operation Scripts","\u002Fdocs\u002Fiam\u002Fguides\u002Foperation-scripts","docs\u002Fiam\u002F03.guides\u002Foperation-scripts",{"title":233,"path":234,"stem":235},"Role-Based Access Control","\u002Fdocs\u002Fiam\u002Fguides\u002Frbac","docs\u002Fiam\u002F03.guides\u002Frbac",{"title":237,"path":238,"stem":239},"Configuration","\u002Fdocs\u002Fiam\u002Fconfiguration","docs\u002Fiam\u002F04.configuration",{"title":241,"path":242,"stem":243,"children":244,"page":53},"Api","\u002Fdocs\u002Fiam\u002Fapi","docs\u002Fiam\u002F05.API",[245,249,253],{"title":246,"path":247,"stem":248},"API Reference","\u002Fdocs\u002Fiam\u002Fapi\u002Fapi","docs\u002Fiam\u002F05.API\u002F00.api",{"title":250,"path":251,"stem":252},"Middleware Reference","\u002Fdocs\u002Fiam\u002Fapi\u002Fmiddlewares","docs\u002Fiam\u002F05.API\u002F02.middlewares",{"title":254,"path":255,"stem":256},"Routes Reference","\u002Fdocs\u002Fiam\u002Fapi\u002Froutes","docs\u002Fiam\u002F05.API\u002F03.routes",[258],{"title":9,"path":66,"stem":67,"children":259,"page":53},[260,398,516,521,577,644],{"title":20,"path":22,"stem":261,"children":262},"docs\u002Fauth-h3client\u002Findex",[263,264,273,307,331,353,356,376,379],{"title":20,"path":22,"stem":261},{"title":14,"path":265,"stem":266,"children":267},"\u002Fdocs\u002Fauth-h3client\u002Fgetting-started","docs\u002Fauth-h3client\u002F00.getting-started\u002Findex",[268,269],{"title":14,"path":265,"stem":266},{"title":270,"path":271,"stem":272},"Nuxt Module","\u002Fdocs\u002Fauth-h3client\u002Fgetting-started\u002Fnuxt","docs\u002Fauth-h3client\u002F00.getting-started\u002F00.nuxt",{"title":77,"path":274,"stem":275,"children":276},"\u002Fdocs\u002Fauth-h3client\u002Fessentials","docs\u002Fauth-h3client\u002F01.essentials\u002Findex",[277,278,282,286,290,294,298,301,304],{"title":77,"path":274,"stem":275},{"title":279,"path":280,"stem":281},"Session Management","\u002Fdocs\u002Fauth-h3client\u002Fessentials\u002Fsession","docs\u002Fauth-h3client\u002F01.essentials\u002F00.session",{"title":283,"path":284,"stem":285},"Route Protection","\u002Fdocs\u002Fauth-h3client\u002Fessentials\u002Froute-protection","docs\u002Fauth-h3client\u002F01.essentials\u002F01.route-protection",{"title":287,"path":288,"stem":289},"CSRF Protection","\u002Fdocs\u002Fauth-h3client\u002Fessentials\u002Fcsrf","docs\u002Fauth-h3client\u002F01.essentials\u002F02.csrf",{"title":291,"path":292,"stem":293},"Auth Flows","\u002Fdocs\u002Fauth-h3client\u002Fessentials\u002Fauth-flows","docs\u002Fauth-h3client\u002F01.essentials\u002F03.auth-flows",{"title":295,"path":296,"stem":297},"OAuth and OIDC","\u002Fdocs\u002Fauth-h3client\u002Fessentials\u002Foauth","docs\u002Fauth-h3client\u002F01.essentials\u002F04.oauth",{"title":33,"path":299,"stem":300},"\u002Fdocs\u002Fauth-h3client\u002Fessentials\u002Fbot-detection","docs\u002Fauth-h3client\u002F01.essentials\u002F05.bot-detection",{"title":155,"path":302,"stem":303},"\u002Fdocs\u002Fauth-h3client\u002Fessentials\u002Fcookies","docs\u002Fauth-h3client\u002F01.essentials\u002F06.cookies",{"title":143,"path":305,"stem":306},"\u002Fdocs\u002Fauth-h3client\u002Fessentials\u002Flogging","docs\u002Fauth-h3client\u002F01.essentials\u002F07.logging",{"title":123,"path":308,"stem":309,"children":310},"\u002Fdocs\u002Fauth-h3client\u002Fmfa","docs\u002Fauth-h3client\u002F02.mfa\u002Findex",[311,312,316,319,323,327],{"title":123,"path":308,"stem":309},{"title":313,"path":314,"stem":315},"Built-in MFA","\u002Fdocs\u002Fauth-h3client\u002Fmfa\u002Fbuilt-in-flow","docs\u002Fauth-h3client\u002F02.mfa\u002F01.built-in-flow",{"title":163,"path":317,"stem":318},"\u002Fdocs\u002Fauth-h3client\u002Fmfa\u002Fpassword-reset","docs\u002Fauth-h3client\u002F02.mfa\u002F02.password-reset",{"title":320,"path":321,"stem":322},"Email Change","\u002Fdocs\u002Fauth-h3client\u002Fmfa\u002Femail-change","docs\u002Fauth-h3client\u002F02.mfa\u002F03.email-change",{"title":324,"path":325,"stem":326},"Custom MFA Flow","\u002Fdocs\u002Fauth-h3client\u002Fmfa\u002Fcustom-flow","docs\u002Fauth-h3client\u002F02.mfa\u002F04.custom-flow",{"title":328,"path":329,"stem":330},"Client-Side MFA","\u002Fdocs\u002Fauth-h3client\u002Fmfa\u002Fclient-side","docs\u002Fauth-h3client\u002F02.mfa\u002F05.client-side",{"title":332,"path":333,"stem":334,"children":335},"Client-side","\u002Fdocs\u002Fauth-h3client\u002Fclient","docs\u002Fauth-h3client\u002F03.client\u002Findex",[336,337,341,345,349],{"title":332,"path":333,"stem":334},{"title":338,"path":339,"stem":340},"useAuthData","\u002Fdocs\u002Fauth-h3client\u002Fclient\u002Fuse-auth-data","docs\u002Fauth-h3client\u002F03.client\u002F00.use-auth-data",{"title":342,"path":343,"stem":344},"useMagicLink","\u002Fdocs\u002Fauth-h3client\u002Fclient\u002Fuse-magic-link","docs\u002Fauth-h3client\u002F03.client\u002F01.use-magic-link",{"title":346,"path":347,"stem":348},"executeRequest","\u002Fdocs\u002Fauth-h3client\u002Fclient\u002Fexecute-request","docs\u002Fauth-h3client\u002F03.client\u002F02.execute-request",{"title":350,"path":351,"stem":352},"getCsrfToken","\u002Fdocs\u002Fauth-h3client\u002Fclient\u002Fget-csrf-token","docs\u002Fauth-h3client\u002F03.client\u002F03.get-csrf-token",{"title":38,"path":354,"stem":355},"\u002Fdocs\u002Fauth-h3client\u002Fsecurity","docs\u002Fauth-h3client\u002F04.security",{"title":220,"path":357,"stem":358,"children":359,"page":53},"\u002Fdocs\u002Fauth-h3client\u002Fguides","docs\u002Fauth-h3client\u002F05.guides",[360,364,368,372],{"title":361,"path":362,"stem":363},"H3 and Nitro Setup","\u002Fdocs\u002Fauth-h3client\u002Fguides\u002Fh3-nitro","docs\u002Fauth-h3client\u002F05.guides\u002F00.h3-nitro",{"title":365,"path":366,"stem":367},"HMAC Inter-service Auth","\u002Fdocs\u002Fauth-h3client\u002Fguides\u002Fhmac","docs\u002Fauth-h3client\u002F05.guides\u002Fhmac",{"title":369,"path":370,"stem":371},"Image Upload","\u002Fdocs\u002Fauth-h3client\u002Fguides\u002Fimage-upload","docs\u002Fauth-h3client\u002F05.guides\u002Fimage-upload",{"title":373,"path":374,"stem":375},"mTLS Configuration","\u002Fdocs\u002Fauth-h3client\u002Fguides\u002Fmtls","docs\u002Fauth-h3client\u002F05.guides\u002Fmtls",{"title":237,"path":377,"stem":378},"\u002Fdocs\u002Fauth-h3client\u002Fconfiguration","docs\u002Fauth-h3client\u002F06.configuration",{"title":246,"path":380,"stem":381,"children":382},"\u002Fdocs\u002Fauth-h3client\u002Fapi","docs\u002Fauth-h3client\u002F07.api\u002Findex",[383,384,387,390,394],{"title":246,"path":380,"stem":381},{"title":254,"path":385,"stem":386},"\u002Fdocs\u002Fauth-h3client\u002Fapi\u002Fcontrollers","docs\u002Fauth-h3client\u002F07.api\u002F00.controllers",{"title":250,"path":388,"stem":389},"\u002Fdocs\u002Fauth-h3client\u002Fapi\u002Fmiddleware","docs\u002Fauth-h3client\u002F07.api\u002F01.middleware",{"title":391,"path":392,"stem":393},"Client-side Reference","\u002Fdocs\u002Fauth-h3client\u002Fapi\u002Fcomposables","docs\u002Fauth-h3client\u002F07.api\u002F02.composables",{"title":395,"path":396,"stem":397},"Utilities","\u002Fdocs\u002Fauth-h3client\u002Fapi\u002Futilities","docs\u002Fauth-h3client\u002F07.api\u002F03.utilities",{"title":399,"path":35,"stem":400,"children":401},"Bot Detector","docs\u002Fbot-detection\u002Findex",[402,403,406,410,414,433,507,510,513],{"title":399,"path":35,"stem":400},{"title":14,"path":404,"stem":405},"\u002Fdocs\u002Fbot-detection\u002Fgetting-started","docs\u002Fbot-detection\u002F00.getting-started",{"title":407,"path":408,"stem":409},"CLI","\u002Fdocs\u002Fbot-detection\u002Fcli","docs\u002Fbot-detection\u002F01.cli",{"title":411,"path":412,"stem":413},"Data Sources","\u002Fdocs\u002Fbot-detection\u002Fdata-sources","docs\u002Fbot-detection\u002F02.data-sources",{"title":220,"path":415,"stem":416,"children":417,"page":53},"\u002Fdocs\u002Fbot-detection\u002Fguides","docs\u002Fbot-detection\u002F03.guides",[418,422,426,429],{"title":419,"path":420,"stem":421},"Custom Checkers","\u002Fdocs\u002Fbot-detection\u002Fguides\u002Fcustom","docs\u002Fbot-detection\u002F03.guides\u002FCUSTOM",{"title":423,"path":424,"stem":425},"Scheduling Database Generation","\u002Fdocs\u002Fbot-detection\u002Fguides\u002Fgenerate","docs\u002Fbot-detection\u002F03.guides\u002FGENERATE",{"title":143,"path":427,"stem":428},"\u002Fdocs\u002Fbot-detection\u002Fguides\u002Flogging","docs\u002Fbot-detection\u002F03.guides\u002FLOGGING",{"title":430,"path":431,"stem":432},"Score Modes and Reputation Healing","\u002Fdocs\u002Fbot-detection\u002Fguides\u002Fscore","docs\u002Fbot-detection\u002F03.guides\u002FSCORE",{"title":434,"path":435,"stem":436,"children":437},"Checkers","\u002Fdocs\u002Fbot-detection\u002Fcheckers","docs\u002Fbot-detection\u002F04.checkers\u002Findex",[438,439,443,447,451,455,459,463,467,471,475,479,483,487,491,495,499,503],{"title":434,"path":435,"stem":436},{"title":440,"path":441,"stem":442},"IP Validation","\u002Fdocs\u002Fbot-detection\u002Fcheckers\u002Fip-validation","docs\u002Fbot-detection\u002F04.checkers\u002F01.ip-validation",{"title":444,"path":445,"stem":446},"Good \u002F Bad Bot Verification","\u002Fdocs\u002Fbot-detection\u002Fcheckers\u002Fgood-bots","docs\u002Fbot-detection\u002F04.checkers\u002F02.good-bots",{"title":448,"path":449,"stem":450},"Browser & Device Fingerprint","\u002Fdocs\u002Fbot-detection\u002Fcheckers\u002Fbrowser-device","docs\u002Fbot-detection\u002F04.checkers\u002F03.browser-device",{"title":452,"path":453,"stem":454},"Locale Map","\u002Fdocs\u002Fbot-detection\u002Fcheckers\u002Flocale-map","docs\u002Fbot-detection\u002F04.checkers\u002F04.locale-map",{"title":456,"path":457,"stem":458},"Known Threats","\u002Fdocs\u002Fbot-detection\u002Fcheckers\u002Fknown-threats","docs\u002Fbot-detection\u002F04.checkers\u002F05.known-threats",{"title":460,"path":461,"stem":462},"ASN Classification","\u002Fdocs\u002Fbot-detection\u002Fcheckers\u002Fasn-classification","docs\u002Fbot-detection\u002F04.checkers\u002F06.asn-classification",{"title":464,"path":465,"stem":466},"Tor Analysis","\u002Fdocs\u002Fbot-detection\u002Fcheckers\u002Ftor-analysis","docs\u002Fbot-detection\u002F04.checkers\u002F07.tor-analysis",{"title":468,"path":469,"stem":470},"Timezone Consistency","\u002Fdocs\u002Fbot-detection\u002Fcheckers\u002Ftimezone-consistency","docs\u002Fbot-detection\u002F04.checkers\u002F08.timezone-consistency",{"title":472,"path":473,"stem":474},"Honeypot","\u002Fdocs\u002Fbot-detection\u002Fcheckers\u002Fhoneypot","docs\u002Fbot-detection\u002F04.checkers\u002F09.honeypot",{"title":476,"path":477,"stem":478},"Known Bad IPs","\u002Fdocs\u002Fbot-detection\u002Fcheckers\u002Fknown-bad-ips","docs\u002Fbot-detection\u002F04.checkers\u002F10.known-bad-ips",{"title":480,"path":481,"stem":482},"Behavior Rate","\u002Fdocs\u002Fbot-detection\u002Fcheckers\u002Fbehavior-rate","docs\u002Fbot-detection\u002F04.checkers\u002F11.behavior-rate",{"title":484,"path":485,"stem":486},"Proxy \u002F ISP \u002F Cookie","\u002Fdocs\u002Fbot-detection\u002Fcheckers\u002Fproxy-isp-cookies","docs\u002Fbot-detection\u002F04.checkers\u002F12.proxy-isp-cookies",{"title":488,"path":489,"stem":490},"Session Coherence","\u002Fdocs\u002Fbot-detection\u002Fcheckers\u002Fsession-coherence","docs\u002Fbot-detection\u002F04.checkers\u002F13.session-coherence",{"title":492,"path":493,"stem":494},"Velocity Fingerprint","\u002Fdocs\u002Fbot-detection\u002Fcheckers\u002Fvelocity-fingerprint","docs\u002Fbot-detection\u002F04.checkers\u002F14.velocity-fingerprint",{"title":496,"path":497,"stem":498},"UA & Header Analysis","\u002Fdocs\u002Fbot-detection\u002Fcheckers\u002Fua-header","docs\u002Fbot-detection\u002F04.checkers\u002F15.ua-header",{"title":500,"path":501,"stem":502},"Geolocation","\u002Fdocs\u002Fbot-detection\u002Fcheckers\u002Fgeolocation","docs\u002Fbot-detection\u002F04.checkers\u002F16.geolocation",{"title":504,"path":505,"stem":506},"Known Bad User-Agents","\u002Fdocs\u002Fbot-detection\u002Fcheckers\u002Fknown-bad-ua","docs\u002Fbot-detection\u002F04.checkers\u002F17.known-bad-ua",{"title":38,"path":508,"stem":509},"\u002Fdocs\u002Fbot-detection\u002Fsecurity","docs\u002Fbot-detection\u002F04.security",{"title":246,"path":511,"stem":512},"\u002Fdocs\u002Fbot-detection\u002Fapi","docs\u002Fbot-detection\u002F05.api",{"title":237,"path":514,"stem":515},"\u002Fdocs\u002Fbot-detection\u002Fconfiguration","docs\u002Fbot-detection\u002F06.configuration",{"title":517,"path":11,"stem":518,"children":519},"Introduction","docs\u002Fgetting-started\u002Findex",[520],{"title":517,"path":11,"stem":518},{"title":27,"path":29,"stem":70,"children":522},[523,524,525,565,566,571,572],{"title":27,"path":29,"stem":70},{"title":14,"path":74,"stem":75},{"title":77,"path":78,"stem":79,"children":526},[527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549],{"title":77,"path":78,"stem":79},{"title":83,"path":84,"stem":85},{"title":87,"path":88,"stem":89},{"title":91,"path":92,"stem":93},{"title":95,"path":96,"stem":97},{"title":99,"path":100,"stem":101},{"title":103,"path":104,"stem":105},{"title":107,"path":108,"stem":109},{"title":111,"path":112,"stem":113},{"title":115,"path":116,"stem":117},{"title":119,"path":120,"stem":121},{"title":123,"path":124,"stem":125},{"title":127,"path":128,"stem":129},{"title":131,"path":132,"stem":133},{"title":135,"path":136,"stem":137},{"title":139,"path":140,"stem":141},{"title":143,"path":144,"stem":145},{"title":147,"path":148,"stem":149},{"title":151,"path":152,"stem":153},{"title":155,"path":156,"stem":157},{"title":159,"path":160,"stem":161},{"title":163,"path":164,"stem":165},{"title":167,"path":168,"stem":169,"children":550},[551,552,553,554,563,564],{"title":167,"path":168,"stem":169},{"title":173,"path":174,"stem":175},{"title":177,"path":178,"stem":179},{"title":181,"path":182,"stem":183,"children":555},[556,557,558,559,560,561,562],{"title":181,"path":182,"stem":183},{"title":187,"path":188,"stem":189},{"title":191,"path":192,"stem":193},{"title":195,"path":196,"stem":197},{"title":199,"path":200,"stem":201},{"title":203,"path":204,"stem":205},{"title":207,"path":208,"stem":209},{"title":147,"path":211,"stem":212},{"title":38,"path":214,"stem":215},{"title":38,"path":217,"stem":218},{"title":220,"path":221,"stem":222,"children":567,"page":53},[568,569,570],{"title":225,"path":226,"stem":227},{"title":229,"path":230,"stem":231},{"title":233,"path":234,"stem":235},{"title":237,"path":238,"stem":239},{"title":241,"path":242,"stem":243,"children":573,"page":53},[574,575,576],{"title":246,"path":247,"stem":248},{"title":250,"path":251,"stem":252},{"title":254,"path":255,"stem":256},{"title":40,"path":42,"stem":578,"children":579},"docs\u002Fshield-base\u002Findex",[580,581,584,588,629,633,637,641],{"title":40,"path":42,"stem":578},{"title":14,"path":582,"stem":583},"\u002Fdocs\u002Fshield-base\u002Fgetting-started","docs\u002Fshield-base\u002F00.getting-started",{"title":585,"path":586,"stem":587},"CLI Reference","\u002Fdocs\u002Fshield-base\u002Fcli","docs\u002Fshield-base\u002F01.cli",{"title":411,"path":589,"stem":590,"children":591},"\u002Fdocs\u002Fshield-base\u002Fdata-sources","docs\u002Fshield-base\u002F02.data-sources\u002Findex",[592,593,597,601,605,609,613,617,621,625],{"title":411,"path":589,"stem":590},{"title":594,"path":595,"stem":596},"BGP \u002F ASN","\u002Fdocs\u002Fshield-base\u002Fdata-sources\u002Fbgp","docs\u002Fshield-base\u002F02.data-sources\u002Fbgp",{"title":598,"path":599,"stem":600},"City Geolocation","\u002Fdocs\u002Fshield-base\u002Fdata-sources\u002Fcity","docs\u002Fshield-base\u002F02.data-sources\u002Fcity",{"title":602,"path":603,"stem":604},"Country Geolocation","\u002Fdocs\u002Fshield-base\u002Fdata-sources\u002Fcountry","docs\u002Fshield-base\u002F02.data-sources\u002Fcountry",{"title":606,"path":607,"stem":608},"Verified Crawlers","\u002Fdocs\u002Fshield-base\u002Fdata-sources\u002Fcrawlers","docs\u002Fshield-base\u002F02.data-sources\u002Fcrawlers",{"title":610,"path":611,"stem":612},"Disposable Emails","\u002Fdocs\u002Fshield-base\u002Fdata-sources\u002Femail","docs\u002Fshield-base\u002F02.data-sources\u002Femail",{"title":614,"path":615,"stem":616},"FireHOL Threat Intelligence","\u002Fdocs\u002Fshield-base\u002Fdata-sources\u002Ffirehol","docs\u002Fshield-base\u002F02.data-sources\u002Ffirehol",{"title":618,"path":619,"stem":620},"Proxy Detection","\u002Fdocs\u002Fshield-base\u002Fdata-sources\u002Fproxy","docs\u002Fshield-base\u002F02.data-sources\u002Fproxy",{"title":622,"path":623,"stem":624},"Tor Nodes","\u002Fdocs\u002Fshield-base\u002Fdata-sources\u002Ftor","docs\u002Fshield-base\u002F02.data-sources\u002Ftor",{"title":626,"path":627,"stem":628},"Suspicious User-Agents","\u002Fdocs\u002Fshield-base\u002Fdata-sources\u002Fuseragent","docs\u002Fshield-base\u002F02.data-sources\u002Fuseragent",{"title":630,"path":631,"stem":632},"Programmatic Usage","\u002Fdocs\u002Fshield-base\u002Fusage","docs\u002Fshield-base\u002F03.usage",{"title":634,"path":635,"stem":636},"Custom Data Sources","\u002Fdocs\u002Fshield-base\u002Fcustom-data-sources","docs\u002Fshield-base\u002F04.custom-data-sources",{"title":638,"path":639,"stem":640},"TypeScript Types","\u002Fdocs\u002Fshield-base\u002Ftypes","docs\u002Fshield-base\u002F05.types",{"title":246,"path":642,"stem":643},"\u002Fdocs\u002Fshield-base\u002Fapi","docs\u002Fshield-base\u002F06.api",{"title":395,"path":48,"stem":645,"children":646},"docs\u002Futils\u002Findex",[647,648,665,698,795],{"title":395,"path":48,"stem":645},{"title":649,"path":650,"stem":651,"children":652,"page":53},"Eslint","\u002Fdocs\u002Futils\u002Feslint","docs\u002Futils\u002Feslint",[653,657,661],{"title":654,"path":655,"stem":656},"React Config","\u002Fdocs\u002Futils\u002Feslint\u002Freact","docs\u002Futils\u002Feslint\u002Freact",{"title":658,"path":659,"stem":660},"TypeScript Config","\u002Fdocs\u002Futils\u002Feslint\u002Ftypescript","docs\u002Futils\u002Feslint\u002Ftypescript",{"title":662,"path":663,"stem":664},"Vue Config","\u002Fdocs\u002Futils\u002Feslint\u002Fvue","docs\u002Futils\u002Feslint\u002Fvue",{"title":666,"path":667,"stem":668,"children":669,"page":53},"Server","\u002Fdocs\u002Futils\u002Fserver","docs\u002Futils\u002Fserver",[670,674,678,682,686,690,694],{"title":671,"path":672,"stem":673},"Encryption","\u002Fdocs\u002Futils\u002Fserver\u002Fencryption","docs\u002Futils\u002Fserver\u002Fencryption",{"title":675,"path":676,"stem":677},"Path Resolver","\u002Fdocs\u002Futils\u002Fserver\u002Fpathresolver","docs\u002Futils\u002Fserver\u002FpathResolver",{"title":679,"path":680,"stem":681},"File Replacements","\u002Fdocs\u002Futils\u002Fserver\u002Freplace","docs\u002Futils\u002Fserver\u002Freplace",{"title":683,"path":684,"stem":685},"run","\u002Fdocs\u002Futils\u002Fserver\u002Frun","docs\u002Futils\u002Fserver\u002Frun",{"title":687,"path":688,"stem":689},"scheduleTask","\u002Fdocs\u002Futils\u002Fserver\u002Fscheduletask","docs\u002Futils\u002Fserver\u002FscheduleTask",{"title":691,"path":692,"stem":693},"spawnRun","\u002Fdocs\u002Futils\u002Fserver\u002Fspawnrun","docs\u002Futils\u002Fserver\u002FspawnRun",{"title":695,"path":696,"stem":697},"uploadCsv","\u002Fdocs\u002Futils\u002Fserver\u002Fuploadcsv","docs\u002Futils\u002Fserver\u002FuploadCsv",{"title":699,"path":700,"stem":701,"children":702,"page":53},"Shared","\u002Fdocs\u002Futils\u002Fshared","docs\u002Futils\u002Fshared",[703,707,711,715,719,723,727,731,735,739,743,747,751,755,759,763,767,771,775,779,783,787,791],{"title":704,"path":705,"stem":706},"BatchQueue","\u002Fdocs\u002Futils\u002Fshared\u002Fbatchqueue","docs\u002Futils\u002Fshared\u002FbatchQueue",{"title":708,"path":709,"stem":710},"capitalize","\u002Fdocs\u002Futils\u002Fshared\u002Fcapitalize","docs\u002Futils\u002Fshared\u002Fcapitalize",{"title":712,"path":713,"stem":714},"chunkProcess","\u002Fdocs\u002Futils\u002Fshared\u002Fchunkprocess","docs\u002Futils\u002Fshared\u002FchunkProcess",{"title":716,"path":717,"stem":718},"cleanObject","\u002Fdocs\u002Futils\u002Fshared\u002Fcleanobject","docs\u002Futils\u002Fshared\u002FcleanObject",{"title":720,"path":721,"stem":722},"createConfigManager","\u002Fdocs\u002Futils\u002Fshared\u002Fconfigurationdefiner","docs\u002Futils\u002Fshared\u002FconfigurationDefiner",{"title":724,"path":725,"stem":726},"debounce","\u002Fdocs\u002Futils\u002Fshared\u002Fdebounce","docs\u002Futils\u002Fshared\u002Fdebounce",{"title":728,"path":729,"stem":730},"ensureArray","\u002Fdocs\u002Futils\u002Fshared\u002Fensurearray","docs\u002Futils\u002Fshared\u002FensureArray",{"title":732,"path":733,"stem":734},"fetchWithRetry","\u002Fdocs\u002Futils\u002Fshared\u002Ffetchwithretry","docs\u002Futils\u002Fshared\u002FfetchWithRetry",{"title":736,"path":737,"stem":738},"filterEmptyValues","\u002Fdocs\u002Futils\u002Fshared\u002Ffilteremptyvalues","docs\u002Futils\u002Fshared\u002FfilterEmptyValues",{"title":740,"path":741,"stem":742},"findStringsInObject","\u002Fdocs\u002Futils\u002Fshared\u002Ffindobjectvalues","docs\u002Futils\u002Fshared\u002FfindObjectValues",{"title":744,"path":745,"stem":746},"fisherYatesShuffle","\u002Fdocs\u002Futils\u002Fshared\u002Ffisheryatesshuffle","docs\u002Futils\u002Fshared\u002FfisherYatesShuffle",{"title":748,"path":749,"stem":750},"getRandomImage","\u002Fdocs\u002Futils\u002Fshared\u002Fgetrandomimage","docs\u002Futils\u002Fshared\u002FgetRandomImage",{"title":752,"path":753,"stem":754},"isObjectHasValues","\u002Fdocs\u002Futils\u002Fshared\u002Fisobjecthasvalues","docs\u002Futils\u002Fshared\u002FisObjectHasValues",{"title":756,"path":757,"stem":758},"isAsyncOrPromise","\u002Fdocs\u002Futils\u002Fshared\u002Fispromise","docs\u002Futils\u002Fshared\u002FisPromise",{"title":760,"path":761,"stem":762},"MiniCache","\u002Fdocs\u002Futils\u002Fshared\u002Fminicache","docs\u002Futils\u002Fshared\u002FminiCache",{"title":764,"path":765,"stem":766},"parseCookies","\u002Fdocs\u002Futils\u002Fshared\u002Fparserawcookies","docs\u002Futils\u002Fshared\u002FparseRawCookies",{"title":768,"path":769,"stem":770},"safeAction","\u002Fdocs\u002Futils\u002Fshared\u002Fpromiselocker","docs\u002Futils\u002Fshared\u002FpromiseLocker",{"title":772,"path":773,"stem":774},"Random","\u002Fdocs\u002Futils\u002Fshared\u002Frandom","docs\u002Futils\u002Fshared\u002Frandom",{"title":776,"path":777,"stem":778},"range","\u002Fdocs\u002Futils\u002Fshared\u002Frange","docs\u002Futils\u002Fshared\u002Frange",{"title":780,"path":781,"stem":782},"rateLimiters","\u002Fdocs\u002Futils\u002Fshared\u002Fratelimiters","docs\u002Futils\u002Fshared\u002FrateLimiters",{"title":784,"path":785,"stem":786},"safeObjectMerge","\u002Fdocs\u002Futils\u002Fshared\u002Fsafemerge","docs\u002Futils\u002Fshared\u002FsafeMerge",{"title":788,"path":789,"stem":790},"textTruncation","\u002Fdocs\u002Futils\u002Fshared\u002Ftexttruncation","docs\u002Futils\u002Fshared\u002FtextTruncation",{"title":792,"path":793,"stem":794},"validateZodSchema","\u002Fdocs\u002Futils\u002Fshared\u002Fvalidatezodschema","docs\u002Futils\u002Fshared\u002FvalidateZodSchema",{"title":796,"path":797,"stem":798,"children":799},"Utility Types","\u002Fdocs\u002Futils\u002Ftypes","docs\u002Futils\u002Ftypes\u002Findex",[800,801,805,809,813,817,821,825,829,833],{"title":796,"path":797,"stem":798},{"title":802,"path":803,"stem":804},"Brand","\u002Fdocs\u002Futils\u002Ftypes\u002Fbrand","docs\u002Futils\u002Ftypes\u002FBrand",{"title":806,"path":807,"stem":808},"DeepPartial","\u002Fdocs\u002Futils\u002Ftypes\u002Fdeeppartial","docs\u002Futils\u002Ftypes\u002FDeepPartial",{"title":810,"path":811,"stem":812},"Merge","\u002Fdocs\u002Futils\u002Ftypes\u002Fmerge","docs\u002Futils\u002Ftypes\u002FMerge",{"title":814,"path":815,"stem":816},"NonNullable","\u002Fdocs\u002Futils\u002Ftypes\u002Fnonnullable","docs\u002Futils\u002Ftypes\u002FNonNullable",{"title":818,"path":819,"stem":820},"Prettify","\u002Fdocs\u002Futils\u002Ftypes\u002Fprettify","docs\u002Futils\u002Ftypes\u002FPrettify",{"title":822,"path":823,"stem":824},"PromiseType","\u002Fdocs\u002Futils\u002Ftypes\u002Fpromisetype","docs\u002Futils\u002Ftypes\u002FPromiseType",{"title":826,"path":827,"stem":828},"RequireKeys","\u002Fdocs\u002Futils\u002Ftypes\u002Frequirekeys","docs\u002Futils\u002Ftypes\u002FRequireKeys",{"title":830,"path":831,"stem":832},"StandardResponse","\u002Fdocs\u002Futils\u002Ftypes\u002Fstandardresponse","docs\u002Futils\u002Ftypes\u002FStandardResponse",{"title":834,"path":835,"stem":836},"ValueOf","\u002Fdocs\u002Futils\u002Ftypes\u002Fvalueof","docs\u002Futils\u002Ftypes\u002FValueOf",{"id":4,"extension":5,"links":838,"meta":849,"stem":62,"__hash__":63},[839,847,848],{"nested":8,"label":9,"icon":10,"to":11,"children":840},[841,842,843,844,845,846],{"label":14,"icon":15,"to":11,"description":16,"github":17,"badge":18},{"label":20,"icon":21,"to":22,"description":23,"github":24,"badge":25},{"label":27,"icon":28,"to":29,"description":30,"github":31,"badge":25},{"label":33,"icon":34,"to":35,"description":36,"github":37,"badge":38},{"label":40,"icon":41,"to":42,"description":43,"github":44,"badge":38},{"label":46,"icon":47,"to":48,"description":49,"github":50,"badge":51},{"nested":53,"label":54,"icon":55,"to":56},{"nested":53,"label":58,"icon":59,"to":60},{},{"id":851,"title":155,"body":852,"description":2593,"extension":2594,"icon":2595,"meta":2596,"module":2597,"navigation":8,"path":156,"rawbody":2598,"seo":2599,"stem":157,"__hash__":2600},"docs\u002Fdocs\u002Fiam\u002F01.essentials\u002F18.cookies.md",{"type":853,"value":854,"toc":2562},"minimark",[855,897,917,920,925,1002,1004,1010,1019,1024,1131,1135,1140,1221,1224,1380,1384,1389,1439,1461,1463,1468,1476,1479,1578,1581,1589,1592,1605,1709,1712,1738,1753,1755,1761,1770,1774,1868,1878,1880,1886,1896,1971,1975,1978,2052,2067,2069,2073,2079,2090,2098,2120,2126,2139,2154,2160,2177,2182,2246,2260,2262,2266,2269,2412,2423,2425,2429,2541,2558],[856,857,858,859,863,864,868,869,872,873,876,877,880,881,885,886,889,890,872,893,896],"p",{},"The IAM service uses three cookies. It ",[860,861,862],"strong",{},"sets"," two of them ",[865,866,867],"code",{},"session"," and ",[865,870,871],{},"iat",", and ",[860,874,875],{},"reads"," one that it does not own, ",[865,878,879],{},"canary_id",", which is set by the ",[882,883,884],"a",{"href":35},"bot-detector",". Every cookie the service writes is ",[865,887,888],{},"httpOnly",", ",[865,891,892],{},"secure",[865,894,895],{},"sameSite: strict",". No cookie is ever accessible to client side JavaScript.",[856,898,899,900,902,903,905,906,909,910,913,914,916],{},"The ",[865,901,867],{}," cookie carries the raw refresh token. The ",[865,904,871],{}," cookie carries the millisecond timestamp of when the credentials were last issued. Together, they let the client send refresh requests without storing sensitive values in ",[865,907,908],{},"localStorage"," or ",[865,911,912],{},"sessionStorage",". The ",[865,915,879],{}," cookie is a device fingerprint created by the bot-detector and is consumed by the IAM service during signup, login, OAuth, and anomaly detection flows.",[918,919],"hr",{},[921,922,924],"h2",{"id":923},"cookie-conventions","Cookie Conventions",[926,927,928,947],"table",{},[929,930,931],"thead",{},[932,933,934,938,941,944],"tr",{},[935,936,937],"th",{},"Cookie",[935,939,940],{},"Set by",[935,942,943],{},"Value",[935,945,946],{},"Purpose",[948,949,950,966,983],"tbody",{},[932,951,952,957,960,963],{},[953,954,955],"td",{},[865,956,867],{},[953,958,959],{},"IAM service",[953,961,962],{},"Raw refresh token, 64-byte hex string",[953,964,965],{},"Authenticates refresh and logout requests",[932,967,968,972,974,980],{},[953,969,970],{},[865,971,871],{},[953,973,959],{},[953,975,976,979],{},[865,977,978],{},"Date.now().toString()",", milliseconds",[953,981,982],{},"Records when the last token pair was issued. Used by clients to decide when to trigger rotation.",[932,984,985,989,992,995],{},[953,986,987],{},[865,988,879],{},[953,990,991],{},"Bot-detector",[953,993,994],{},"Device fingerprint identifier, up to 64 chars",[953,996,997,998,1001],{},"Links the request to a ",[865,999,1000],{},"visitors"," table row. Used for anomaly detection, signup validation, and user creation.",[918,1003],{},[921,1005,1007,1009],{"id":1006},"session-cookie",[865,1008,867],{}," Cookie",[856,1011,899,1012,1014,1015,1018],{},[865,1013,867],{}," cookie is the most security-critical cookie in the system. It contains the raw, unhashed refresh token. The server stores only a SHA-256 hash of this value in the ",[865,1016,1017],{},"refresh_tokens"," table. Anyone who possesses the raw cookie value can request a new access token.",[1020,1021,1023],"h3",{"id":1022},"options","Options",[926,1025,1026,1038],{},[929,1027,1028],{},[932,1029,1030,1033,1035],{},[935,1031,1032],{},"Option",[935,1034,943],{},[935,1036,1037],{},"Reason",[948,1039,1040,1054,1067,1082,1101,1116],{},[932,1041,1042,1046,1051],{},[953,1043,1044],{},[865,1045,888],{},[953,1047,1048],{},[865,1049,1050],{},"true",[953,1052,1053],{},"Prevents JavaScript access. Mitigates XSS token theft.",[932,1055,1056,1060,1064],{},[953,1057,1058],{},[865,1059,892],{},[953,1061,1062],{},[865,1063,1050],{},[953,1065,1066],{},"Only transmitted over HTTPS.",[932,1068,1069,1074,1079],{},[953,1070,1071],{},[865,1072,1073],{},"sameSite",[953,1075,1076],{},[865,1077,1078],{},"strict",[953,1080,1081],{},"Only sent on same-site requests. Prevents CSRF.",[932,1083,1084,1089,1094],{},[953,1085,1086],{},[865,1087,1088],{},"domain",[953,1090,1091],{},[865,1092,1093],{},"jwt.refresh_tokens.domain",[953,1095,1096,1097,1100],{},"Scoped to the configured domain (e.g., ",[865,1098,1099],{},".example.com"," for cross-subdomain sharing).",[932,1102,1103,1108,1113],{},[953,1104,1105],{},[865,1106,1107],{},"path",[953,1109,1110],{},[865,1111,1112],{},"\u002F",[953,1114,1115],{},"Available on all paths.",[932,1117,1118,1123,1128],{},[953,1119,1120],{},[865,1121,1122],{},"expires",[953,1124,1125],{},[865,1126,1127],{},"refreshToken.expiresAt",[953,1129,1130],{},"Matches the refresh token's database expiry. The cookie and the token expire at the same moment.",[1020,1132,1134],{"id":1133},"when-it-is-set","When It Is Set",[856,1136,899,1137,1139],{},[865,1138,867],{}," cookie is written in every flow that issues a new refresh token:",[926,1141,1142,1155],{},[929,1143,1144],{},[932,1145,1146,1149,1152],{},[935,1147,1148],{},"Flow",[935,1150,1151],{},"Controller",[935,1153,1154],{},"Trigger",[948,1156,1157,1169,1181,1196,1208],{},[932,1158,1159,1161,1166],{},[953,1160,103],{},[953,1162,1163],{},[865,1164,1165],{},"loginController",[953,1167,1168],{},"Successful email\u002Fpassword authentication",[932,1170,1171,1173,1178],{},[953,1172,99],{},[953,1174,1175],{},[865,1176,1177],{},"signUpController",[953,1179,1180],{},"New account creation",[932,1182,1183,1186,1191],{},[953,1184,1185],{},"Token rotation",[953,1187,1188],{},[865,1189,1190],{},"rotateCredentials",[953,1192,1193],{},[865,1194,1195],{},"POST \u002Fauth\u002Fuser\u002Frefresh-session",[932,1197,1198,1200,1205],{},[953,1199,111],{},[953,1201,1202,1204],{},[865,1203,111],{}," controller",[953,1206,1207],{},"Successful OAuth provider callback",[932,1209,1210,1213,1218],{},[953,1211,1212],{},"MFA completion",[953,1214,1215],{},[865,1216,1217],{},"verifyMfaCode",[953,1219,1220],{},"Successful MFA code verification",[856,1222,1223],{},"In every case, the pattern is the same:",[1225,1226,1231],"pre",{"className":1227,"code":1228,"language":1229,"meta":1230,"style":1230},"language-ts shiki shiki-themes light-plus light-plus dracula","makeCookie(res, 'session', newRefresh.raw, {\n  httpOnly: true,\n  sameSite: 'strict',\n  secure: true,\n  domain: jwt.refresh_tokens.domain,\n  path: '\u002F',\n  expires: newRefresh.expiresAt\n})\n","ts","",[865,1232,1233,1275,1292,1309,1321,1342,1358,1374],{"__ignoreMap":1230},[1234,1235,1238,1242,1246,1250,1252,1256,1259,1261,1263,1266,1269,1272],"span",{"class":1236,"line":1237},"line",1,[1234,1239,1241],{"class":1240},"sHOzp","makeCookie",[1234,1243,1245],{"class":1244},"sDd4n","(",[1234,1247,1249],{"class":1248},"sjsA6","res",[1234,1251,889],{"class":1244},[1234,1253,1255],{"class":1254},"sFkSl","'",[1234,1257,867],{"class":1258},"sFB1V",[1234,1260,1255],{"class":1254},[1234,1262,889],{"class":1244},[1234,1264,1265],{"class":1248},"newRefresh",[1234,1267,1268],{"class":1244},".",[1234,1270,1271],{"class":1248},"raw",[1234,1273,1274],{"class":1244},", {\n",[1234,1276,1278,1281,1285,1289],{"class":1236,"line":1277},2,[1234,1279,1280],{"class":1248},"  httpOnly",[1234,1282,1284],{"class":1283},"s34zl",":",[1234,1286,1288],{"class":1287},"sjR7W"," true",[1234,1290,1291],{"class":1244},",\n",[1234,1293,1295,1298,1300,1303,1305,1307],{"class":1236,"line":1294},3,[1234,1296,1297],{"class":1248},"  sameSite",[1234,1299,1284],{"class":1283},[1234,1301,1302],{"class":1254}," '",[1234,1304,1078],{"class":1258},[1234,1306,1255],{"class":1254},[1234,1308,1291],{"class":1244},[1234,1310,1312,1315,1317,1319],{"class":1236,"line":1311},4,[1234,1313,1314],{"class":1248},"  secure",[1234,1316,1284],{"class":1283},[1234,1318,1288],{"class":1287},[1234,1320,1291],{"class":1244},[1234,1322,1324,1327,1329,1332,1334,1336,1338,1340],{"class":1236,"line":1323},5,[1234,1325,1326],{"class":1248},"  domain",[1234,1328,1284],{"class":1283},[1234,1330,1331],{"class":1248}," jwt",[1234,1333,1268],{"class":1244},[1234,1335,1017],{"class":1248},[1234,1337,1268],{"class":1244},[1234,1339,1088],{"class":1248},[1234,1341,1291],{"class":1244},[1234,1343,1345,1348,1350,1352,1354,1356],{"class":1236,"line":1344},6,[1234,1346,1347],{"class":1248},"  path",[1234,1349,1284],{"class":1283},[1234,1351,1302],{"class":1254},[1234,1353,1112],{"class":1258},[1234,1355,1255],{"class":1254},[1234,1357,1291],{"class":1244},[1234,1359,1361,1364,1366,1369,1371],{"class":1236,"line":1360},7,[1234,1362,1363],{"class":1248},"  expires",[1234,1365,1284],{"class":1283},[1234,1367,1368],{"class":1248}," newRefresh",[1234,1370,1268],{"class":1244},[1234,1372,1373],{"class":1248},"expiresAt\n",[1234,1375,1377],{"class":1236,"line":1376},8,[1234,1378,1379],{"class":1244},"})\n",[1020,1381,1383],{"id":1382},"when-it-is-cleared","When It Is Cleared",[856,1385,899,1386,1388],{},[865,1387,867],{}," cookie is cleared in two scenarios:",[1390,1391,1393,1397,1415,1419],"steps",{"level":1392},"4",[1394,1395,107],"h4",{"id":1396},"logout",[856,1398,1399,1400,1403,1404,889,1406,889,1408,889,1410,872,1412,1414],{},"The logout controller calls ",[865,1401,1402],{},"res.clearCookie('session', options)"," with the same ",[865,1405,888],{},[865,1407,1073],{},[865,1409,892],{},[865,1411,1088],{},[865,1413,1107],{}," options used when setting it. Matching every option exactly is required by the browser's cookie deletion rules.",[1394,1416,1418],{"id":1417},"session-expiry-during-rotation","Session expiry during rotation",[856,1420,1421,1422,1425,1426,1429,1430,868,1432,1434,1435,1438],{},"When the rotation controller detects that ",[865,1423,1424],{},"session_started_at"," exceeds ",[865,1427,1428],{},"MAX_SESSION_LIFE",", it revokes the token, clears both ",[865,1431,867],{},[865,1433,871],{},", and returns ",[865,1436,1437],{},"401 Session is expired",". The user must log in again.",[1440,1441,1442],"warning",{},[856,1443,1444,1445,1448,1449,1452,1453,889,1455,1457,1458,1460],{},"If any option in ",[865,1446,1447],{},"clearCookie"," does not match the original ",[865,1450,1451],{},"setCookie"," options (different ",[865,1454,1088],{},[865,1456,1107],{},", or ",[865,1459,1073],{},"), the browser silently ignores the deletion request and the cookie persists. The service always uses the same option set for both operations.",[918,1462],{},[921,1464,1466,1009],{"id":1465},"iat-cookie",[865,1467,871],{},[856,1469,899,1470,1472,1473,1475],{},[865,1471,871],{}," (issued-at) cookie records the moment when the most recent token pair (access + refresh) was issued. The value is ",[865,1474,978],{},", a millisecond Unix timestamp as a string.",[1020,1477,1023],{"id":1478},"options-1",[926,1480,1481,1491],{},[929,1482,1483],{},[932,1484,1485,1487,1489],{},[935,1486,1032],{},[935,1488,943],{},[935,1490,1037],{},[948,1492,1493,1506,1519,1532,1553,1565],{},[932,1494,1495,1499,1503],{},[953,1496,1497],{},[865,1498,888],{},[953,1500,1501],{},[865,1502,1050],{},[953,1504,1505],{},"Not accessible to JavaScript.",[932,1507,1508,1512,1516],{},[953,1509,1510],{},[865,1511,892],{},[953,1513,1514],{},[865,1515,1050],{},[953,1517,1518],{},"HTTPS only.",[932,1520,1521,1525,1529],{},[953,1522,1523],{},[865,1524,1073],{},[953,1526,1527],{},[865,1528,1078],{},[953,1530,1531],{},"Same-site only.",[932,1533,1534,1538,1541],{},[953,1535,1536],{},[865,1537,1088],{},[953,1539,1540],{},"Not set",[953,1542,1543,1544,1546,1547,1549,1550,1552],{},"Unlike ",[865,1545,867],{},", the ",[865,1548,871],{}," cookie does not specify a ",[865,1551,1088],{},". It defaults to the exact hostname that set it.",[932,1554,1555,1559,1563],{},[953,1556,1557],{},[865,1558,1107],{},[953,1560,1561],{},[865,1562,1112],{},[953,1564,1115],{},[932,1566,1567,1571,1575],{},[953,1568,1569],{},[865,1570,1122],{},[953,1572,1573],{},[865,1574,1127],{},[953,1576,1577],{},"Expires alongside the refresh token.",[1020,1579,946],{"id":1580},"purpose",[856,1582,899,1583,1585,1586,1588],{},[865,1584,871],{}," cookie helps upstream services determine how recently credentials were issued without decoding the access token JWT. A BFF can read the ",[865,1587,871],{}," value to decide whether a proactive rotation is needed before the access token expires.",[1020,1590,1134],{"id":1591},"when-it-is-set-1",[856,1593,899,1594,1596,1597,1599,1600,1602,1603,1284],{},[865,1595,871],{}," cookie is always set alongside the ",[865,1598,867],{}," cookie. Every flow listed in the ",[865,1601,867],{}," cookie table above also sets ",[865,1604,871],{},[1225,1606,1608],{"className":1227,"code":1607,"language":1229,"meta":1230,"style":1230},"makeCookie(res, 'iat', Date.now().toString(), {\n  httpOnly: true,\n  secure: true,\n  sameSite: 'strict',\n  path: '\u002F',\n  expires: newRefresh.expiresAt\n})\n",[865,1609,1610,1645,1655,1665,1679,1693,1705],{"__ignoreMap":1230},[1234,1611,1612,1614,1616,1618,1620,1622,1624,1626,1628,1631,1633,1636,1639,1642],{"class":1236,"line":1237},[1234,1613,1241],{"class":1240},[1234,1615,1245],{"class":1244},[1234,1617,1249],{"class":1248},[1234,1619,889],{"class":1244},[1234,1621,1255],{"class":1254},[1234,1623,871],{"class":1258},[1234,1625,1255],{"class":1254},[1234,1627,889],{"class":1244},[1234,1629,1630],{"class":1248},"Date",[1234,1632,1268],{"class":1244},[1234,1634,1635],{"class":1240},"now",[1234,1637,1638],{"class":1244},"().",[1234,1640,1641],{"class":1240},"toString",[1234,1643,1644],{"class":1244},"(), {\n",[1234,1646,1647,1649,1651,1653],{"class":1236,"line":1277},[1234,1648,1280],{"class":1248},[1234,1650,1284],{"class":1283},[1234,1652,1288],{"class":1287},[1234,1654,1291],{"class":1244},[1234,1656,1657,1659,1661,1663],{"class":1236,"line":1294},[1234,1658,1314],{"class":1248},[1234,1660,1284],{"class":1283},[1234,1662,1288],{"class":1287},[1234,1664,1291],{"class":1244},[1234,1666,1667,1669,1671,1673,1675,1677],{"class":1236,"line":1311},[1234,1668,1297],{"class":1248},[1234,1670,1284],{"class":1283},[1234,1672,1302],{"class":1254},[1234,1674,1078],{"class":1258},[1234,1676,1255],{"class":1254},[1234,1678,1291],{"class":1244},[1234,1680,1681,1683,1685,1687,1689,1691],{"class":1236,"line":1323},[1234,1682,1347],{"class":1248},[1234,1684,1284],{"class":1283},[1234,1686,1302],{"class":1254},[1234,1688,1112],{"class":1258},[1234,1690,1255],{"class":1254},[1234,1692,1291],{"class":1244},[1234,1694,1695,1697,1699,1701,1703],{"class":1236,"line":1344},[1234,1696,1363],{"class":1248},[1234,1698,1284],{"class":1283},[1234,1700,1368],{"class":1248},[1234,1702,1268],{"class":1244},[1234,1704,1373],{"class":1248},[1234,1706,1707],{"class":1236,"line":1360},[1234,1708,1379],{"class":1244},[1020,1710,1383],{"id":1711},"when-it-is-cleared-1",[856,1713,899,1714,1716,1717,1719,1720,1722,1723,889,1725,889,1727,872,1729,1731,1732,1734,1735,1737],{},[865,1715,871],{}," cookie is cleared alongside ",[865,1718,867],{}," during logout and session expiry. The ",[865,1721,1447],{}," call uses the same ",[865,1724,888],{},[865,1726,1073],{},[865,1728,892],{},[865,1730,1107],{}," options. For logout specifically, the ",[865,1733,1088],{}," is explicitly set to ",[865,1736,1093],{}," in the clear call to ensure the deletion reaches the correct scope.",[1739,1740,1741],"note",{},[856,1742,899,1743,1745,1746,1748,1749,1752],{},[865,1744,871],{}," cookie is set without a ",[865,1747,1088],{}," but cleared with ",[865,1750,1751],{},"domain: jwt.refresh_tokens.domain"," in the logout controller. This inconsistency works because browsers treat a cookie set without a domain as belonging to the exact host, and a clear with a broader domain will match it if the host falls within that domain scope.",[918,1754],{},[921,1756,1758,1760],{"id":1757},"canary_id-cookie-read-only",[865,1759,879],{}," Cookie - Read-Only",[856,1762,1763,1764,1766,1767,1769],{},"The IAM service reads but never writes the ",[865,1765,879],{}," cookie. This cookie is set by the ",[882,1768,884],{"href":35}," middleware, which runs before the IAM service's routes.",[1020,1771,1773],{"id":1772},"how-the-iam-service-uses-it","How the IAM Service Uses It",[926,1775,1776,1785],{},[929,1777,1778],{},[932,1779,1780,1783],{},[935,1781,1782],{},"Consumer",[935,1784,946],{},[948,1786,1787,1802,1813,1822,1845,1855],{},[932,1788,1789,1792],{},[953,1790,1791],{},"Signup guard",[953,1793,1794,1795,1797,1798,1801],{},"Validates that ",[865,1796,879],{}," is present in the request. Returns ",[865,1799,1800],{},"400"," if missing, because the visitor record is required for user creation.",[932,1803,1804,1807],{},[953,1805,1806],{},"Login guard",[953,1808,1809,1810,1812],{},"Same validation. Returns ",[865,1811,1800],{}," if missing.",[932,1814,1815,1818],{},[953,1816,1817],{},"OAuth guard",[953,1819,1809,1820,1812],{},[865,1821,1800],{},[932,1823,1824,1829],{},[953,1825,1826],{},[865,1827,1828],{},"createUser()",[953,1830,1831,1832,1834,1835,1838,1839,1841,1842,1844],{},"Uses the ",[865,1833,879],{}," to look up the ",[865,1836,1837],{},"visitor_id"," from the ",[865,1840,1000],{}," table, then stores it in the new user's ",[865,1843,1837],{}," column.",[932,1846,1847,1852],{},[953,1848,1849],{},[865,1850,1851],{},"trustVisitor()",[953,1853,1854],{},"Marks the visitor record as trusted after successful authentication (clears suspicious activity flags).",[932,1856,1857,1862],{},[953,1858,1859],{},[865,1860,1861],{},"strangeThings()",[953,1863,1864,1865,1867],{},"The anomaly detection engine uses ",[865,1866,879],{}," to load the full visitor record (IP, geo, device, proxy status, suspicion score) and compare it against the current request.",[1440,1869,1870],{},[856,1871,899,1872,1874,1875,1877],{},[865,1873,879],{}," cookie is a hard requirement for signup, login, and OAuth flows. If the bot-detector is not running or the cookie is missing, these endpoints return ",[865,1876,1800],{}," without processing the request. You cannot create users without a valid visitor record.",[918,1879],{},[921,1881,1883,1885],{"id":1882},"makecookie-helper",[865,1884,1241],{}," Helper",[856,1887,1888,1889,1891,1892,1895],{},"All cookie operations go through the ",[865,1890,1241],{}," utility function. It wraps ",[865,1893,1894],{},"res.cookie()"," with automatic prefix enforcement for security-hardened cookie names.",[1225,1897,1899],{"className":1227,"code":1898,"language":1229,"meta":1230,"style":1230},"function makeCookie(\n  res: Response,\n  name: string,\n  value: string,\n  options: CookieOptions\n): void\n",[865,1900,1901,1913,1928,1940,1951,1961],{"__ignoreMap":1230},[1234,1902,1903,1907,1910],{"class":1236,"line":1237},[1234,1904,1906],{"class":1905},"sl46w","function",[1234,1908,1909],{"class":1240}," makeCookie",[1234,1911,1912],{"class":1244},"(\n",[1234,1914,1915,1919,1922,1926],{"class":1236,"line":1277},[1234,1916,1918],{"class":1917},"sygFZ","  res",[1234,1920,1284],{"class":1921},"saOXh",[1234,1923,1925],{"class":1924},"sFs1U"," Response",[1234,1927,1291],{"class":1244},[1234,1929,1930,1933,1935,1938],{"class":1236,"line":1294},[1234,1931,1932],{"class":1917},"  name",[1234,1934,1284],{"class":1921},[1234,1936,1937],{"class":1924}," string",[1234,1939,1291],{"class":1244},[1234,1941,1942,1945,1947,1949],{"class":1236,"line":1311},[1234,1943,1944],{"class":1917},"  value",[1234,1946,1284],{"class":1921},[1234,1948,1937],{"class":1924},[1234,1950,1291],{"class":1244},[1234,1952,1953,1956,1958],{"class":1236,"line":1323},[1234,1954,1955],{"class":1917},"  options",[1234,1957,1284],{"class":1921},[1234,1959,1960],{"class":1924}," CookieOptions\n",[1234,1962,1963,1966,1968],{"class":1236,"line":1344},[1234,1964,1965],{"class":1244},")",[1234,1967,1284],{"class":1921},[1234,1969,1970],{"class":1924}," void\n",[1020,1972,1974],{"id":1973},"prefix-enforcement","Prefix Enforcement",[856,1976,1977],{},"The function checks the cookie name for two standard security prefixes and enforces the corresponding browser requirements:",[926,1979,1980,1993],{},[929,1981,1982],{},[932,1983,1984,1987,1990],{},[935,1985,1986],{},"Prefix",[935,1988,1989],{},"Enforced Options",[935,1991,1992],{},"Effect",[948,1994,1995,2018],{},[932,1996,1997,2002,2007],{},[953,1998,1999],{},[865,2000,2001],{},"__Secure-",[953,2003,2004],{},[865,2005,2006],{},"secure: true",[953,2008,2009,2010,2012,2013,2015,2016,1268],{},"The function forces ",[865,2011,892],{}," to ",[865,2014,1050],{}," regardless of what was passed in ",[865,2017,1022],{},[932,2019,2020,2025,2033],{},[953,2021,2022],{},[865,2023,2024],{},"__Host-",[953,2026,2027,889,2029,2032],{},[865,2028,2006],{},[865,2030,2031],{},"path: '\u002F'",", domain deleted",[953,2034,2009,2035,2012,2037,2039,2040,2012,2042,2045,2046,2048,2049,2051],{},[865,2036,892],{},[865,2038,1050],{},", sets ",[865,2041,1107],{},[865,2043,2044],{},"'\u002F'",", and removes any ",[865,2047,1088],{}," from the options. ",[865,2050,2024],{}," cookies cannot be scoped to a parent domain.",[856,2053,2054,2055,889,2057,2059,2060,909,2063,2066],{},"Currently, the IAM service uses plain cookie names (",[865,2056,867],{},[865,2058,871],{},") without a prefix. The prefix enforcement exists for forward compatibility if the service adopts ",[865,2061,2062],{},"__Host-session",[865,2064,2065],{},"__Secure-session"," naming in the future. The enforcement logic runs on every call, so switching to prefixed names requires only changing the name string; the security constraints apply automatically.",[918,2068],{},[921,2070,2072],{"id":2071},"cookie-middleware","Cookie Middleware",[1020,2074,2076],{"id":2075},"cookieparser",[865,2077,2078],{},"cookieParser",[856,2080,2081,2082,2085,2086,2089],{},"The service mounts ",[865,2083,2084],{},"cookieParser()"," as Express middleware. It runs after ",[865,2087,2088],{},"express.json()"," and before any route handler:",[1225,2091,2096],{"className":2092,"code":2094,"language":2095},[2093],"language-text","httpLogger, helmet, headers, validateIp, hmacAuth?, json, cookieParser, routes\n","text",[865,2097,2094],{"__ignoreMap":1230},[856,2099,2100,2102,2103,2105,2106,2109,2110,889,2113,872,2116,2119],{},[865,2101,2078],{}," parses the ",[865,2104,937],{}," header and populates ",[865,2107,2108],{},"req.cookies"," as a key-value object. Every route handler downstream can access ",[865,2111,2112],{},"req.cookies.session",[865,2114,2115],{},"req.cookies.iat",[865,2117,2118],{},"req.cookies.canary_id"," directly.",[1020,2121,2123],{"id":2122},"requirerefreshtoken",[865,2124,2125],{},"requireRefreshToken",[856,2127,2128,2129,2131,2132,2134,2135,2138],{},"A middleware guard that checks for the ",[865,2130,867],{}," cookie before allowing the request to proceed. If ",[865,2133,2112],{}," is missing or empty, the middleware returns ",[865,2136,2137],{},"401"," immediately. Used on routes that consume the refresh token:",[2140,2141,2142,2148],"ul",{},[2143,2144,2145,2147],"li",{},[865,2146,1195],{}," rotation",[2143,2149,2150,2153],{},[865,2151,2152],{},"POST \u002Fauth\u002Flogout"," logout",[1020,2155,2157],{"id":2156},"acceptcookieonly",[865,2158,2159],{},"acceptCookieOnly",[856,2161,2162,2163,2166,2167,2170,2171,2174,2175,1268],{},"A stricter middleware guard for endpoints where the cookie should be the ",[860,2164,2165],{},"only"," input. It rejects requests that include a body, query parameters, or a ",[865,2168,2169],{},"Content-Type"," header. Exported from ",[865,2172,2173],{},"@riavzon\u002Fauth"," as ",[865,2176,2159],{},[856,2178,899,2179,2181],{},[865,2180,2159],{}," middleware performs these checks:",[1390,2183,2184,2188,2197,2201,2222,2226,2234,2238],{"level":1392},[1394,2185,2187],{"id":2186},"validate-cookie-presence","Validate cookie presence",[856,2189,2190,2191,2193,2194,2196],{},"Returns ",[865,2192,2137],{}," if ",[865,2195,2112],{}," is missing or not a string.",[1394,2198,2200],{"id":2199},"reject-request-body","Reject request body",[856,2202,2190,2203,2205,2206,2209,2210,2213,2214,2217,2218,2221],{},[865,2204,1800],{}," if any of these conditions are true: ",[865,2207,2208],{},"req.body"," contains keys, the ",[865,2211,2212],{},"Content-Length"," header is greater than zero, or the ",[865,2215,2216],{},"Transfer-Encoding"," header includes ",[865,2219,2220],{},"chunked",". This triple check catches payloads even if body parsing fails or is bypassed.",[1394,2223,2225],{"id":2224},"reject-query-parameters","Reject query parameters",[856,2227,2190,2228,2193,2230,2233],{},[865,2229,1800],{},[865,2231,2232],{},"req.query"," contains any keys. The request should have no query string.",[1394,2235,2237],{"id":2236},"reject-content-type","Reject Content-Type",[856,2239,2190,2240,2242,2243,2245],{},[865,2241,1800],{}," if the ",[865,2244,2169],{}," header is set. Cookie-only endpoints do not accept content.",[2247,2248,2249],"tip",{},[856,2250,2251,2253,2254,2256,2257,2259],{},[865,2252,2159],{}," is applied to the rotation and logout routes to ensure the refresh token comes exclusively from the ",[865,2255,867],{}," cookie. This prevents token injection through the request body or query string, which would bypass the ",[865,2258,888],{}," protection of the cookie.",[918,2261],{},[921,2263,2265],{"id":2264},"cookie-lifecycle-summary","Cookie Lifecycle Summary",[856,2267,2268],{},"The diagram below shows when each cookie is created and destroyed across the authentication lifecycle:",[926,2270,2271,2290],{},[929,2272,2273],{},[932,2274,2275,2278,2282,2286],{},[935,2276,2277],{},"Event",[935,2279,2280],{},[865,2281,867],{},[935,2283,2284],{},[865,2285,871],{},[935,2287,2288],{},[865,2289,879],{},[948,2291,2292,2306,2321,2335,2350,2365,2381,2397],{},[932,2293,2294,2297,2299,2301],{},[953,2295,2296],{},"First visit (bot-detector)",[953,2298],{},[953,2300],{},[953,2302,2303],{},[860,2304,2305],{},"Created",[932,2307,2308,2310,2314,2318],{},[953,2309,99],{},[953,2311,2312],{},[860,2313,2305],{},[953,2315,2316],{},[860,2317,2305],{},[953,2319,2320],{},"Read",[932,2322,2323,2325,2329,2333],{},[953,2324,103],{},[953,2326,2327],{},[860,2328,2305],{},[953,2330,2331],{},[860,2332,2305],{},[953,2334,2320],{},[932,2336,2337,2340,2344,2348],{},[953,2338,2339],{},"OAuth callback",[953,2341,2342],{},[860,2343,2305],{},[953,2345,2346],{},[860,2347,2305],{},[953,2349,2320],{},[932,2351,2352,2355,2359,2363],{},[953,2353,2354],{},"MFA verification",[953,2356,2357],{},[860,2358,2305],{},[953,2360,2361],{},[860,2362,2305],{},[953,2364,2320],{},[932,2366,2367,2369,2375,2379],{},[953,2368,1185],{},[953,2370,2371,2372],{},"Cleared, then ",[860,2373,2374],{},"re-created",[953,2376,2371,2377],{},[860,2378,2374],{},[953,2380,2320],{},[932,2382,2383,2385,2390,2394],{},[953,2384,107],{},[953,2386,2387],{},[860,2388,2389],{},"Cleared",[953,2391,2392],{},[860,2393,2389],{},[953,2395,2396],{},"Unchanged",[932,2398,2399,2402,2406,2410],{},[953,2400,2401],{},"Session expiry (during rotation)",[953,2403,2404],{},[860,2405,2389],{},[953,2407,2408],{},[860,2409,2389],{},[953,2411,2396],{},[856,2413,2414,2415,868,2417,2419,2420,2422],{},"Every creation event sets both ",[865,2416,867],{},[865,2418,871],{}," together. They are always written as a pair, with the same expiry. The ",[865,2421,879],{}," cookie is independent of the IAM session lifecycle; it persists across login\u002Flogout cycles and is managed entirely by the bot-detector.",[918,2424],{},[921,2426,2428],{"id":2427},"security-properties","Security Properties",[926,2430,2431,2450],{},[929,2432,2433],{},[932,2434,2435,2438,2442,2446],{},[935,2436,2437],{},"Property",[935,2439,2440],{},[865,2441,867],{},[935,2443,2444],{},[865,2445,871],{},[935,2447,2448],{},[865,2449,879],{},[948,2451,2452,2465,2477,2496,2508,2519,2530],{},[932,2453,2454,2458,2461,2463],{},[953,2455,2456],{},[865,2457,888],{},[953,2459,2460],{},"Yes",[953,2462,2460],{},[953,2464,2460],{},[932,2466,2467,2471,2473,2475],{},[953,2468,2469],{},[865,2470,892],{},[953,2472,2460],{},[953,2474,2460],{},[953,2476,2460],{},[932,2478,2479,2483,2487,2491],{},[953,2480,2481],{},[865,2482,1073],{},[953,2484,2485],{},[865,2486,1078],{},[953,2488,2489],{},[865,2490,1078],{},[953,2492,2493],{},[865,2494,2495],{},"lax",[932,2497,2498,2501,2504,2506],{},[953,2499,2500],{},"Accessible to JavaScript",[953,2502,2503],{},"No",[953,2505,2503],{},[953,2507,2503],{},[932,2509,2510,2513,2515,2517],{},[953,2511,2512],{},"Transmitted over HTTP",[953,2514,2503],{},[953,2516,2503],{},[953,2518,2503],{},[932,2520,2521,2524,2526,2528],{},[953,2522,2523],{},"Sent cross-site",[953,2525,2503],{},[953,2527,2503],{},[953,2529,2460],{},[932,2531,2532,2535,2537,2539],{},[953,2533,2534],{},"Contains sensitive data",[953,2536,2460],{},[953,2538,2503],{},[953,2540,2460],{},[1440,2542,2543],{},[856,2544,899,2545,2547,2548,2550,2551,2554,2555,2557],{},[865,2546,867],{}," cookie carries the raw refresh token. If an attacker obtains this value, they can request new access tokens. The service mitigates this with Pino's redaction system, which replaces ",[865,2549,2112],{}," with ",[865,2552,2553],{},"[SECRET]"," in HTTP logs. See ",[882,2556,143],{"href":144}," for the full list of redacted paths.",[2559,2560,2561],"style",{},"html pre.shiki code .sHOzp, html code.shiki .sHOzp{--shiki-light:#795E26;--shiki-default:#795E26;--shiki-dark:#50FA7B}html pre.shiki code .sDd4n, html code.shiki .sDd4n{--shiki-light:#000000;--shiki-default:#000000;--shiki-dark:#F8F8F2}html pre.shiki code .sjsA6, html code.shiki .sjsA6{--shiki-light:#001080;--shiki-default:#001080;--shiki-dark:#F8F8F2}html pre.shiki code .sFkSl, html code.shiki .sFkSl{--shiki-light:#A31515;--shiki-default:#A31515;--shiki-dark:#E9F284}html pre.shiki code .sFB1V, html code.shiki .sFB1V{--shiki-light:#A31515;--shiki-default:#A31515;--shiki-dark:#F1FA8C}html pre.shiki code .s34zl, html code.shiki .s34zl{--shiki-light:#001080;--shiki-default:#001080;--shiki-dark:#FF79C6}html pre.shiki code .sjR7W, html code.shiki .sjR7W{--shiki-light:#0000FF;--shiki-default:#0000FF;--shiki-dark:#BD93F9}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html pre.shiki code .sl46w, html code.shiki .sl46w{--shiki-light:#0000FF;--shiki-default:#0000FF;--shiki-dark:#FF79C6}html pre.shiki code .sygFZ, html code.shiki .sygFZ{--shiki-light:#001080;--shiki-light-font-style:inherit;--shiki-default:#001080;--shiki-default-font-style:inherit;--shiki-dark:#FFB86C;--shiki-dark-font-style:italic}html pre.shiki code .saOXh, html code.shiki .saOXh{--shiki-light:#000000;--shiki-default:#000000;--shiki-dark:#FF79C6}html pre.shiki code .sFs1U, html code.shiki .sFs1U{--shiki-light:#267F99;--shiki-light-font-style:inherit;--shiki-default:#267F99;--shiki-default-font-style:inherit;--shiki-dark:#8BE9FD;--shiki-dark-font-style:italic}",{"title":1230,"searchDepth":1277,"depth":1277,"links":2563},[2564,2565,2571,2578,2582,2586,2591,2592],{"id":923,"depth":1277,"text":924},{"id":1006,"depth":1277,"text":2566,"children":2567},"session Cookie",[2568,2569,2570],{"id":1022,"depth":1294,"text":1023},{"id":1133,"depth":1294,"text":1134},{"id":1382,"depth":1294,"text":1383},{"id":1465,"depth":1277,"text":2572,"children":2573},"iat Cookie",[2574,2575,2576,2577],{"id":1478,"depth":1294,"text":1023},{"id":1580,"depth":1294,"text":946},{"id":1591,"depth":1294,"text":1134},{"id":1711,"depth":1294,"text":1383},{"id":1757,"depth":1277,"text":2579,"children":2580},"canary_id Cookie - Read-Only",[2581],{"id":1772,"depth":1294,"text":1773},{"id":1882,"depth":1277,"text":2583,"children":2584},"makeCookie Helper",[2585],{"id":1973,"depth":1294,"text":1974},{"id":2071,"depth":1277,"text":2072,"children":2587},[2588,2589,2590],{"id":2075,"depth":1294,"text":2078},{"id":2122,"depth":1294,"text":2125},{"id":2156,"depth":1294,"text":2159},{"id":2264,"depth":1277,"text":2265},{"id":2427,"depth":1277,"text":2428},"How the IAM service sets, reads, clears, and secures cookies including the session refresh token, the issued-at timestamp, and the bot-detector canary identifier.","md","i-lucide-cookie",{},null,"---\ntitle: Cookies\ndescription: How the IAM service sets, reads, clears, and secures cookies including the session refresh token, the issued-at timestamp, and the bot-detector canary identifier.\nicon: i-lucide-cookie\n---\n\nThe IAM service uses three cookies. It **sets** two of them `session` and `iat`, and **reads** one that it does not own, `canary_id`, which is set by the [bot-detector](\u002Fdocs\u002Fbot-detection). Every cookie the service writes is `httpOnly`, `secure`, and `sameSite: strict`. No cookie is ever accessible to client side JavaScript.\n\nThe `session` cookie carries the raw refresh token. The `iat` cookie carries the millisecond timestamp of when the credentials were last issued. Together, they let the client send refresh requests without storing sensitive values in `localStorage` or `sessionStorage`. The `canary_id` cookie is a device fingerprint created by the bot-detector and is consumed by the IAM service during signup, login, OAuth, and anomaly detection flows.\n\n---\n\n## Cookie Conventions\n\n| Cookie | Set by | Value | Purpose |\n|---|---|---|---|\n| `session` | IAM service | Raw refresh token, 64-byte hex string | Authenticates refresh and logout requests |\n| `iat` | IAM service | `Date.now().toString()`, milliseconds | Records when the last token pair was issued. Used by clients to decide when to trigger rotation. |\n| `canary_id` | Bot-detector | Device fingerprint identifier, up to 64 chars | Links the request to a `visitors` table row. Used for anomaly detection, signup validation, and user creation. |\n\n---\n\n## `session` Cookie\n\nThe `session` cookie is the most security-critical cookie in the system. It contains the raw, unhashed refresh token. The server stores only a SHA-256 hash of this value in the `refresh_tokens` table. Anyone who possesses the raw cookie value can request a new access token.\n\n### Options\n\n| Option | Value | Reason |\n|---|---|---|\n| `httpOnly` | `true` | Prevents JavaScript access. Mitigates XSS token theft. |\n| `secure` | `true` | Only transmitted over HTTPS. |\n| `sameSite` | `strict` | Only sent on same-site requests. Prevents CSRF. |\n| `domain` | `jwt.refresh_tokens.domain` | Scoped to the configured domain (e.g., `.example.com` for cross-subdomain sharing). |\n| `path` | `\u002F` | Available on all paths. |\n| `expires` | `refreshToken.expiresAt` | Matches the refresh token's database expiry. The cookie and the token expire at the same moment. |\n\n### When It Is Set\n\nThe `session` cookie is written in every flow that issues a new refresh token:\n\n| Flow | Controller | Trigger |\n|---|---|---|\n| Login | `loginController` | Successful email\u002Fpassword authentication |\n| Signup | `signUpController` | New account creation |\n| Token rotation | `rotateCredentials` | `POST \u002Fauth\u002Fuser\u002Frefresh-session` |\n| OAuth | `OAuth` controller | Successful OAuth provider callback |\n| MFA completion | `verifyMfaCode` | Successful MFA code verification |\n\nIn every case, the pattern is the same:\n\n```ts\nmakeCookie(res, 'session', newRefresh.raw, {\n  httpOnly: true,\n  sameSite: 'strict',\n  secure: true,\n  domain: jwt.refresh_tokens.domain,\n  path: '\u002F',\n  expires: newRefresh.expiresAt\n})\n```\n\n### When It Is Cleared\n\nThe `session` cookie is cleared in two scenarios:\n\n::steps{level=\"4\"}\n#### Logout\nThe logout controller calls `res.clearCookie('session', options)` with the same `httpOnly`, `sameSite`, `secure`, `domain`, and `path` options used when setting it. Matching every option exactly is required by the browser's cookie deletion rules.\n\n#### Session expiry during rotation\nWhen the rotation controller detects that `session_started_at` exceeds `MAX_SESSION_LIFE`, it revokes the token, clears both `session` and `iat`, and returns `401 Session is expired`. The user must log in again.\n::\n\n::warning\nIf any option in `clearCookie` does not match the original `setCookie` options (different `domain`, `path`, or `sameSite`), the browser silently ignores the deletion request and the cookie persists. The service always uses the same option set for both operations.\n::\n\n---\n\n## `iat` Cookie\n\nThe `iat` (issued-at) cookie records the moment when the most recent token pair (access + refresh) was issued. The value is `Date.now().toString()`, a millisecond Unix timestamp as a string.\n\n### Options\n\n| Option | Value | Reason |\n|---|---|---|\n| `httpOnly` | `true` | Not accessible to JavaScript. |\n| `secure` | `true` | HTTPS only. |\n| `sameSite` | `strict` | Same-site only. |\n| `domain` | Not set | Unlike `session`, the `iat` cookie does not specify a `domain`. It defaults to the exact hostname that set it. |\n| `path` | `\u002F` | Available on all paths. |\n| `expires` | `refreshToken.expiresAt` | Expires alongside the refresh token. |\n\n### Purpose\n\nThe `iat` cookie helps upstream services determine how recently credentials were issued without decoding the access token JWT. A BFF can read the `iat` value to decide whether a proactive rotation is needed before the access token expires.\n\n### When It Is Set\n\nThe `iat` cookie is always set alongside the `session` cookie. Every flow listed in the `session` cookie table above also sets `iat`:\n\n```ts\nmakeCookie(res, 'iat', Date.now().toString(), {\n  httpOnly: true,\n  secure: true,\n  sameSite: 'strict',\n  path: '\u002F',\n  expires: newRefresh.expiresAt\n})\n```\n\n### When It Is Cleared\n\nThe `iat` cookie is cleared alongside `session` during logout and session expiry. The `clearCookie` call uses the same `httpOnly`, `sameSite`, `secure`, and `path` options. For logout specifically, the `domain` is explicitly set to `jwt.refresh_tokens.domain` in the clear call to ensure the deletion reaches the correct scope.\n\n::note\nThe `iat` cookie is set without a `domain` but cleared with `domain: jwt.refresh_tokens.domain` in the logout controller. This inconsistency works because browsers treat a cookie set without a domain as belonging to the exact host, and a clear with a broader domain will match it if the host falls within that domain scope.\n::\n\n---\n\n## `canary_id` Cookie - Read-Only\n\nThe IAM service reads but never writes the `canary_id` cookie. This cookie is set by the [bot-detector](\u002Fdocs\u002Fbot-detection) middleware, which runs before the IAM service's routes.\n\n### How the IAM Service Uses It\n\n| Consumer | Purpose |\n|---|---|\n| Signup guard | Validates that `canary_id` is present in the request. Returns `400` if missing, because the visitor record is required for user creation. |\n| Login guard | Same validation. Returns `400` if missing. |\n| OAuth guard | Same validation. Returns `400` if missing. |\n| `createUser()` | Uses the `canary_id` to look up the `visitor_id` from the `visitors` table, then stores it in the new user's `visitor_id` column. |\n| `trustVisitor()` | Marks the visitor record as trusted after successful authentication (clears suspicious activity flags). |\n| `strangeThings()` | The anomaly detection engine uses `canary_id` to load the full visitor record (IP, geo, device, proxy status, suspicion score) and compare it against the current request. |\n\n::warning\nThe `canary_id` cookie is a hard requirement for signup, login, and OAuth flows. If the bot-detector is not running or the cookie is missing, these endpoints return `400` without processing the request. You cannot create users without a valid visitor record.\n::\n\n---\n\n## `makeCookie` Helper\n\nAll cookie operations go through the `makeCookie` utility function. It wraps `res.cookie()` with automatic prefix enforcement for security-hardened cookie names.\n\n```ts\nfunction makeCookie(\n  res: Response,\n  name: string,\n  value: string,\n  options: CookieOptions\n): void\n```\n\n### Prefix Enforcement\n\nThe function checks the cookie name for two standard security prefixes and enforces the corresponding browser requirements:\n\n| Prefix | Enforced Options | Effect |\n|---|---|---|\n| `__Secure-` | `secure: true` | The function forces `secure` to `true` regardless of what was passed in `options`. |\n| `__Host-` | `secure: true`, `path: '\u002F'`, domain deleted | The function forces `secure` to `true`, sets `path` to `'\u002F'`, and removes any `domain` from the options. `__Host-` cookies cannot be scoped to a parent domain. |\n\nCurrently, the IAM service uses plain cookie names (`session`, `iat`) without a prefix. The prefix enforcement exists for forward compatibility if the service adopts `__Host-session` or `__Secure-session` naming in the future. The enforcement logic runs on every call, so switching to prefixed names requires only changing the name string; the security constraints apply automatically.\n\n---\n\n## Cookie Middleware\n\n### `cookieParser`\n\nThe service mounts `cookieParser()` as Express middleware. It runs after `express.json()` and before any route handler:\n\n```\nhttpLogger, helmet, headers, validateIp, hmacAuth?, json, cookieParser, routes\n```\n\n`cookieParser` parses the `Cookie` header and populates `req.cookies` as a key-value object. Every route handler downstream can access `req.cookies.session`, `req.cookies.iat`, and `req.cookies.canary_id` directly.\n\n### `requireRefreshToken`\n\nA middleware guard that checks for the `session` cookie before allowing the request to proceed. If `req.cookies.session` is missing or empty, the middleware returns `401` immediately. Used on routes that consume the refresh token:\n\n- `POST \u002Fauth\u002Fuser\u002Frefresh-session` rotation\n- `POST \u002Fauth\u002Flogout` logout\n\n### `acceptCookieOnly`\n\nA stricter middleware guard for endpoints where the cookie should be the **only** input. It rejects requests that include a body, query parameters, or a `Content-Type` header. Exported from `@riavzon\u002Fauth` as `acceptCookieOnly`.\n\nThe `acceptCookieOnly` middleware performs these checks:\n\n::steps{level=\"4\"}\n#### Validate cookie presence\nReturns `401` if `req.cookies.session` is missing or not a string.\n\n#### Reject request body\nReturns `400` if any of these conditions are true: `req.body` contains keys, the `Content-Length` header is greater than zero, or the `Transfer-Encoding` header includes `chunked`. This triple check catches payloads even if body parsing fails or is bypassed.\n\n#### Reject query parameters\nReturns `400` if `req.query` contains any keys. The request should have no query string.\n\n#### Reject Content-Type\nReturns `400` if the `Content-Type` header is set. Cookie-only endpoints do not accept content.\n::\n\n::tip\n`acceptCookieOnly` is applied to the rotation and logout routes to ensure the refresh token comes exclusively from the `session` cookie. This prevents token injection through the request body or query string, which would bypass the `httpOnly` protection of the cookie.\n::\n\n---\n\n## Cookie Lifecycle Summary\n\nThe diagram below shows when each cookie is created and destroyed across the authentication lifecycle:\n\n| Event | `session` | `iat` | `canary_id` |\n|---|---|---|---|\n| First visit (bot-detector) | | | **Created** |\n| Signup | **Created** | **Created** | Read |\n| Login | **Created** | **Created** | Read |\n| OAuth callback | **Created** | **Created** | Read |\n| MFA verification | **Created** | **Created** | Read |\n| Token rotation | Cleared, then **re-created** | Cleared, then **re-created** | Read |\n| Logout | **Cleared** | **Cleared** | Unchanged |\n| Session expiry (during rotation) | **Cleared** | **Cleared** | Unchanged |\n\nEvery creation event sets both `session` and `iat` together. They are always written as a pair, with the same expiry. The `canary_id` cookie is independent of the IAM session lifecycle; it persists across login\u002Flogout cycles and is managed entirely by the bot-detector.\n\n---\n\n## Security Properties\n\n| Property | `session` | `iat` | `canary_id` |\n|---|---|---|---|\n| `httpOnly` | Yes | Yes | Yes |\n| `secure` | Yes | Yes | Yes |\n| `sameSite` | `strict` | `strict` | `lax` |\n| Accessible to JavaScript | No | No | No |\n| Transmitted over HTTP | No | No | No |\n| Sent cross-site | No | No | Yes |\n| Contains sensitive data | Yes | No | Yes |\n\n::warning\nThe `session` cookie carries the raw refresh token. If an attacker obtains this value, they can request new access tokens. The service mitigates this with Pino's redaction system, which replaces `req.cookies.session` with `[SECRET]` in HTTP logs. See [Logging](\u002Fdocs\u002Fiam\u002Fessentials\u002Flogging) for the full list of redacted paths.\n::\n",{"title":155,"description":2593},"GDRmkfUfiARniptB07kVpHFKxQRyt9IqhHMbci4FFyc",[2602,2603],{"title":151,"path":152,"stem":153,"children":-1},{"title":159,"path":160,"stem":161,"children":-1},{"id":851,"title":155,"body":2605,"description":2593,"extension":2594,"icon":2595,"meta":3947,"module":2597,"navigation":8,"path":156,"rawbody":2598,"seo":3948,"stem":157,"__hash__":2600},{"type":853,"value":2606,"toc":3920},[2607,2627,2639,2641,2643,2699,2701,2705,2711,2713,2801,2803,2807,2873,2875,2987,2989,2993,3025,3039,3041,3045,3051,3053,3143,3145,3151,3153,3163,3261,3263,3283,3293,3295,3299,3305,3307,3379,3387,3389,3393,3399,3457,3459,3461,3519,3529,3531,3533,3537,3543,3548,3562,3566,3574,3584,3588,3598,3602,3642,3652,3654,3656,3658,3790,3798,3800,3802,3906,3918],[856,2608,858,2609,863,2611,868,2613,872,2615,876,2617,880,2619,885,2621,889,2623,872,2625,896],{},[860,2610,862],{},[865,2612,867],{},[865,2614,871],{},[860,2616,875],{},[865,2618,879],{},[882,2620,884],{"href":35},[865,2622,888],{},[865,2624,892],{},[865,2626,895],{},[856,2628,899,2629,902,2631,905,2633,909,2635,913,2637,916],{},[865,2630,867],{},[865,2632,871],{},[865,2634,908],{},[865,2636,912],{},[865,2638,879],{},[918,2640],{},[921,2642,924],{"id":923},[926,2644,2645,2657],{},[929,2646,2647],{},[932,2648,2649,2651,2653,2655],{},[935,2650,937],{},[935,2652,940],{},[935,2654,943],{},[935,2656,946],{},[948,2658,2659,2671,2685],{},[932,2660,2661,2665,2667,2669],{},[953,2662,2663],{},[865,2664,867],{},[953,2666,959],{},[953,2668,962],{},[953,2670,965],{},[932,2672,2673,2677,2679,2683],{},[953,2674,2675],{},[865,2676,871],{},[953,2678,959],{},[953,2680,2681,979],{},[865,2682,978],{},[953,2684,982],{},[932,2686,2687,2691,2693,2695],{},[953,2688,2689],{},[865,2690,879],{},[953,2692,991],{},[953,2694,994],{},[953,2696,997,2697,1001],{},[865,2698,1000],{},[918,2700],{},[921,2702,2703,1009],{"id":1006},[865,2704,867],{},[856,2706,899,2707,1014,2709,1018],{},[865,2708,867],{},[865,2710,1017],{},[1020,2712,1023],{"id":1022},[926,2714,2715,2725],{},[929,2716,2717],{},[932,2718,2719,2721,2723],{},[935,2720,1032],{},[935,2722,943],{},[935,2724,1037],{},[948,2726,2727,2739,2751,2763,2777,2789],{},[932,2728,2729,2733,2737],{},[953,2730,2731],{},[865,2732,888],{},[953,2734,2735],{},[865,2736,1050],{},[953,2738,1053],{},[932,2740,2741,2745,2749],{},[953,2742,2743],{},[865,2744,892],{},[953,2746,2747],{},[865,2748,1050],{},[953,2750,1066],{},[932,2752,2753,2757,2761],{},[953,2754,2755],{},[865,2756,1073],{},[953,2758,2759],{},[865,2760,1078],{},[953,2762,1081],{},[932,2764,2765,2769,2773],{},[953,2766,2767],{},[865,2768,1088],{},[953,2770,2771],{},[865,2772,1093],{},[953,2774,1096,2775,1100],{},[865,2776,1099],{},[932,2778,2779,2783,2787],{},[953,2780,2781],{},[865,2782,1107],{},[953,2784,2785],{},[865,2786,1112],{},[953,2788,1115],{},[932,2790,2791,2795,2799],{},[953,2792,2793],{},[865,2794,1122],{},[953,2796,2797],{},[865,2798,1127],{},[953,2800,1130],{},[1020,2802,1134],{"id":1133},[856,2804,899,2805,1139],{},[865,2806,867],{},[926,2808,2809,2819],{},[929,2810,2811],{},[932,2812,2813,2815,2817],{},[935,2814,1148],{},[935,2816,1151],{},[935,2818,1154],{},[948,2820,2821,2831,2841,2853,2863],{},[932,2822,2823,2825,2829],{},[953,2824,103],{},[953,2826,2827],{},[865,2828,1165],{},[953,2830,1168],{},[932,2832,2833,2835,2839],{},[953,2834,99],{},[953,2836,2837],{},[865,2838,1177],{},[953,2840,1180],{},[932,2842,2843,2845,2849],{},[953,2844,1185],{},[953,2846,2847],{},[865,2848,1190],{},[953,2850,2851],{},[865,2852,1195],{},[932,2854,2855,2857,2861],{},[953,2856,111],{},[953,2858,2859,1204],{},[865,2860,111],{},[953,2862,1207],{},[932,2864,2865,2867,2871],{},[953,2866,1212],{},[953,2868,2869],{},[865,2870,1217],{},[953,2872,1220],{},[856,2874,1223],{},[1225,2876,2877],{"className":1227,"code":1228,"language":1229,"meta":1230,"style":1230},[865,2878,2879,2905,2915,2929,2939,2957,2971,2983],{"__ignoreMap":1230},[1234,2880,2881,2883,2885,2887,2889,2891,2893,2895,2897,2899,2901,2903],{"class":1236,"line":1237},[1234,2882,1241],{"class":1240},[1234,2884,1245],{"class":1244},[1234,2886,1249],{"class":1248},[1234,2888,889],{"class":1244},[1234,2890,1255],{"class":1254},[1234,2892,867],{"class":1258},[1234,2894,1255],{"class":1254},[1234,2896,889],{"class":1244},[1234,2898,1265],{"class":1248},[1234,2900,1268],{"class":1244},[1234,2902,1271],{"class":1248},[1234,2904,1274],{"class":1244},[1234,2906,2907,2909,2911,2913],{"class":1236,"line":1277},[1234,2908,1280],{"class":1248},[1234,2910,1284],{"class":1283},[1234,2912,1288],{"class":1287},[1234,2914,1291],{"class":1244},[1234,2916,2917,2919,2921,2923,2925,2927],{"class":1236,"line":1294},[1234,2918,1297],{"class":1248},[1234,2920,1284],{"class":1283},[1234,2922,1302],{"class":1254},[1234,2924,1078],{"class":1258},[1234,2926,1255],{"class":1254},[1234,2928,1291],{"class":1244},[1234,2930,2931,2933,2935,2937],{"class":1236,"line":1311},[1234,2932,1314],{"class":1248},[1234,2934,1284],{"class":1283},[1234,2936,1288],{"class":1287},[1234,2938,1291],{"class":1244},[1234,2940,2941,2943,2945,2947,2949,2951,2953,2955],{"class":1236,"line":1323},[1234,2942,1326],{"class":1248},[1234,2944,1284],{"class":1283},[1234,2946,1331],{"class":1248},[1234,2948,1268],{"class":1244},[1234,2950,1017],{"class":1248},[1234,2952,1268],{"class":1244},[1234,2954,1088],{"class":1248},[1234,2956,1291],{"class":1244},[1234,2958,2959,2961,2963,2965,2967,2969],{"class":1236,"line":1344},[1234,2960,1347],{"class":1248},[1234,2962,1284],{"class":1283},[1234,2964,1302],{"class":1254},[1234,2966,1112],{"class":1258},[1234,2968,1255],{"class":1254},[1234,2970,1291],{"class":1244},[1234,2972,2973,2975,2977,2979,2981],{"class":1236,"line":1360},[1234,2974,1363],{"class":1248},[1234,2976,1284],{"class":1283},[1234,2978,1368],{"class":1248},[1234,2980,1268],{"class":1244},[1234,2982,1373],{"class":1248},[1234,2984,2985],{"class":1236,"line":1376},[1234,2986,1379],{"class":1244},[1020,2988,1383],{"id":1382},[856,2990,899,2991,1388],{},[865,2992,867],{},[1390,2994,2995,2997,3011,3013],{"level":1392},[1394,2996,107],{"id":1396},[856,2998,1399,2999,1403,3001,889,3003,889,3005,889,3007,872,3009,1414],{},[865,3000,1402],{},[865,3002,888],{},[865,3004,1073],{},[865,3006,892],{},[865,3008,1088],{},[865,3010,1107],{},[1394,3012,1418],{"id":1417},[856,3014,1421,3015,1425,3017,1429,3019,868,3021,1434,3023,1438],{},[865,3016,1424],{},[865,3018,1428],{},[865,3020,867],{},[865,3022,871],{},[865,3024,1437],{},[1440,3026,3027],{},[856,3028,1444,3029,1448,3031,1452,3033,889,3035,1457,3037,1460],{},[865,3030,1447],{},[865,3032,1451],{},[865,3034,1088],{},[865,3036,1107],{},[865,3038,1073],{},[918,3040],{},[921,3042,3043,1009],{"id":1465},[865,3044,871],{},[856,3046,899,3047,1472,3049,1475],{},[865,3048,871],{},[865,3050,978],{},[1020,3052,1023],{"id":1478},[926,3054,3055,3065],{},[929,3056,3057],{},[932,3058,3059,3061,3063],{},[935,3060,1032],{},[935,3062,943],{},[935,3064,1037],{},[948,3066,3067,3079,3091,3103,3119,3131],{},[932,3068,3069,3073,3077],{},[953,3070,3071],{},[865,3072,888],{},[953,3074,3075],{},[865,3076,1050],{},[953,3078,1505],{},[932,3080,3081,3085,3089],{},[953,3082,3083],{},[865,3084,892],{},[953,3086,3087],{},[865,3088,1050],{},[953,3090,1518],{},[932,3092,3093,3097,3101],{},[953,3094,3095],{},[865,3096,1073],{},[953,3098,3099],{},[865,3100,1078],{},[953,3102,1531],{},[932,3104,3105,3109,3111],{},[953,3106,3107],{},[865,3108,1088],{},[953,3110,1540],{},[953,3112,1543,3113,1546,3115,1549,3117,1552],{},[865,3114,867],{},[865,3116,871],{},[865,3118,1088],{},[932,3120,3121,3125,3129],{},[953,3122,3123],{},[865,3124,1107],{},[953,3126,3127],{},[865,3128,1112],{},[953,3130,1115],{},[932,3132,3133,3137,3141],{},[953,3134,3135],{},[865,3136,1122],{},[953,3138,3139],{},[865,3140,1127],{},[953,3142,1577],{},[1020,3144,946],{"id":1580},[856,3146,899,3147,1585,3149,1588],{},[865,3148,871],{},[865,3150,871],{},[1020,3152,1134],{"id":1591},[856,3154,899,3155,1596,3157,1599,3159,1602,3161,1284],{},[865,3156,871],{},[865,3158,867],{},[865,3160,867],{},[865,3162,871],{},[1225,3164,3165],{"className":1227,"code":1607,"language":1229,"meta":1230,"style":1230},[865,3166,3167,3197,3207,3217,3231,3245,3257],{"__ignoreMap":1230},[1234,3168,3169,3171,3173,3175,3177,3179,3181,3183,3185,3187,3189,3191,3193,3195],{"class":1236,"line":1237},[1234,3170,1241],{"class":1240},[1234,3172,1245],{"class":1244},[1234,3174,1249],{"class":1248},[1234,3176,889],{"class":1244},[1234,3178,1255],{"class":1254},[1234,3180,871],{"class":1258},[1234,3182,1255],{"class":1254},[1234,3184,889],{"class":1244},[1234,3186,1630],{"class":1248},[1234,3188,1268],{"class":1244},[1234,3190,1635],{"class":1240},[1234,3192,1638],{"class":1244},[1234,3194,1641],{"class":1240},[1234,3196,1644],{"class":1244},[1234,3198,3199,3201,3203,3205],{"class":1236,"line":1277},[1234,3200,1280],{"class":1248},[1234,3202,1284],{"class":1283},[1234,3204,1288],{"class":1287},[1234,3206,1291],{"class":1244},[1234,3208,3209,3211,3213,3215],{"class":1236,"line":1294},[1234,3210,1314],{"class":1248},[1234,3212,1284],{"class":1283},[1234,3214,1288],{"class":1287},[1234,3216,1291],{"class":1244},[1234,3218,3219,3221,3223,3225,3227,3229],{"class":1236,"line":1311},[1234,3220,1297],{"class":1248},[1234,3222,1284],{"class":1283},[1234,3224,1302],{"class":1254},[1234,3226,1078],{"class":1258},[1234,3228,1255],{"class":1254},[1234,3230,1291],{"class":1244},[1234,3232,3233,3235,3237,3239,3241,3243],{"class":1236,"line":1323},[1234,3234,1347],{"class":1248},[1234,3236,1284],{"class":1283},[1234,3238,1302],{"class":1254},[1234,3240,1112],{"class":1258},[1234,3242,1255],{"class":1254},[1234,3244,1291],{"class":1244},[1234,3246,3247,3249,3251,3253,3255],{"class":1236,"line":1344},[1234,3248,1363],{"class":1248},[1234,3250,1284],{"class":1283},[1234,3252,1368],{"class":1248},[1234,3254,1268],{"class":1244},[1234,3256,1373],{"class":1248},[1234,3258,3259],{"class":1236,"line":1360},[1234,3260,1379],{"class":1244},[1020,3262,1383],{"id":1711},[856,3264,899,3265,1716,3267,1719,3269,1722,3271,889,3273,889,3275,872,3277,1731,3279,1734,3281,1737],{},[865,3266,871],{},[865,3268,867],{},[865,3270,1447],{},[865,3272,888],{},[865,3274,1073],{},[865,3276,892],{},[865,3278,1107],{},[865,3280,1088],{},[865,3282,1093],{},[1739,3284,3285],{},[856,3286,899,3287,1745,3289,1748,3291,1752],{},[865,3288,871],{},[865,3290,1088],{},[865,3292,1751],{},[918,3294],{},[921,3296,3297,1760],{"id":1757},[865,3298,879],{},[856,3300,1763,3301,1766,3303,1769],{},[865,3302,879],{},[882,3304,884],{"href":35},[1020,3306,1773],{"id":1772},[926,3308,3309,3317],{},[929,3310,3311],{},[932,3312,3313,3315],{},[935,3314,1782],{},[935,3316,946],{},[948,3318,3319,3329,3337,3345,3361,3369],{},[932,3320,3321,3323],{},[953,3322,1791],{},[953,3324,1794,3325,1797,3327,1801],{},[865,3326,879],{},[865,3328,1800],{},[932,3330,3331,3333],{},[953,3332,1806],{},[953,3334,1809,3335,1812],{},[865,3336,1800],{},[932,3338,3339,3341],{},[953,3340,1817],{},[953,3342,1809,3343,1812],{},[865,3344,1800],{},[932,3346,3347,3351],{},[953,3348,3349],{},[865,3350,1828],{},[953,3352,1831,3353,1834,3355,1838,3357,1841,3359,1844],{},[865,3354,879],{},[865,3356,1837],{},[865,3358,1000],{},[865,3360,1837],{},[932,3362,3363,3367],{},[953,3364,3365],{},[865,3366,1851],{},[953,3368,1854],{},[932,3370,3371,3375],{},[953,3372,3373],{},[865,3374,1861],{},[953,3376,1864,3377,1867],{},[865,3378,879],{},[1440,3380,3381],{},[856,3382,899,3383,1874,3385,1877],{},[865,3384,879],{},[865,3386,1800],{},[918,3388],{},[921,3390,3391,1885],{"id":1882},[865,3392,1241],{},[856,3394,1888,3395,1891,3397,1895],{},[865,3396,1241],{},[865,3398,1894],{},[1225,3400,3401],{"className":1227,"code":1898,"language":1229,"meta":1230,"style":1230},[865,3402,3403,3411,3421,3431,3441,3449],{"__ignoreMap":1230},[1234,3404,3405,3407,3409],{"class":1236,"line":1237},[1234,3406,1906],{"class":1905},[1234,3408,1909],{"class":1240},[1234,3410,1912],{"class":1244},[1234,3412,3413,3415,3417,3419],{"class":1236,"line":1277},[1234,3414,1918],{"class":1917},[1234,3416,1284],{"class":1921},[1234,3418,1925],{"class":1924},[1234,3420,1291],{"class":1244},[1234,3422,3423,3425,3427,3429],{"class":1236,"line":1294},[1234,3424,1932],{"class":1917},[1234,3426,1284],{"class":1921},[1234,3428,1937],{"class":1924},[1234,3430,1291],{"class":1244},[1234,3432,3433,3435,3437,3439],{"class":1236,"line":1311},[1234,3434,1944],{"class":1917},[1234,3436,1284],{"class":1921},[1234,3438,1937],{"class":1924},[1234,3440,1291],{"class":1244},[1234,3442,3443,3445,3447],{"class":1236,"line":1323},[1234,3444,1955],{"class":1917},[1234,3446,1284],{"class":1921},[1234,3448,1960],{"class":1924},[1234,3450,3451,3453,3455],{"class":1236,"line":1344},[1234,3452,1965],{"class":1244},[1234,3454,1284],{"class":1921},[1234,3456,1970],{"class":1924},[1020,3458,1974],{"id":1973},[856,3460,1977],{},[926,3462,3463,3473],{},[929,3464,3465],{},[932,3466,3467,3469,3471],{},[935,3468,1986],{},[935,3470,1989],{},[935,3472,1992],{},[948,3474,3475,3493],{},[932,3476,3477,3481,3485],{},[953,3478,3479],{},[865,3480,2001],{},[953,3482,3483],{},[865,3484,2006],{},[953,3486,2009,3487,2012,3489,2015,3491,1268],{},[865,3488,892],{},[865,3490,1050],{},[865,3492,1022],{},[932,3494,3495,3499,3505],{},[953,3496,3497],{},[865,3498,2024],{},[953,3500,3501,889,3503,2032],{},[865,3502,2006],{},[865,3504,2031],{},[953,3506,2009,3507,2012,3509,2039,3511,2012,3513,2045,3515,2048,3517,2051],{},[865,3508,892],{},[865,3510,1050],{},[865,3512,1107],{},[865,3514,2044],{},[865,3516,1088],{},[865,3518,2024],{},[856,3520,2054,3521,889,3523,2059,3525,909,3527,2066],{},[865,3522,867],{},[865,3524,871],{},[865,3526,2062],{},[865,3528,2065],{},[918,3530],{},[921,3532,2072],{"id":2071},[1020,3534,3535],{"id":2075},[865,3536,2078],{},[856,3538,2081,3539,2085,3541,2089],{},[865,3540,2084],{},[865,3542,2088],{},[1225,3544,3546],{"className":3545,"code":2094,"language":2095},[2093],[865,3547,2094],{"__ignoreMap":1230},[856,3549,3550,2102,3552,2105,3554,2109,3556,889,3558,872,3560,2119],{},[865,3551,2078],{},[865,3553,937],{},[865,3555,2108],{},[865,3557,2112],{},[865,3559,2115],{},[865,3561,2118],{},[1020,3563,3564],{"id":2122},[865,3565,2125],{},[856,3567,2128,3568,2131,3570,2134,3572,2138],{},[865,3569,867],{},[865,3571,2112],{},[865,3573,2137],{},[2140,3575,3576,3580],{},[2143,3577,3578,2147],{},[865,3579,1195],{},[2143,3581,3582,2153],{},[865,3583,2152],{},[1020,3585,3586],{"id":2156},[865,3587,2159],{},[856,3589,2162,3590,2166,3592,2170,3594,2174,3596,1268],{},[860,3591,2165],{},[865,3593,2169],{},[865,3595,2173],{},[865,3597,2159],{},[856,3599,899,3600,2181],{},[865,3601,2159],{},[1390,3603,3604,3606,3612,3614,3626,3628,3634,3636],{"level":1392},[1394,3605,2187],{"id":2186},[856,3607,2190,3608,2193,3610,2196],{},[865,3609,2137],{},[865,3611,2112],{},[1394,3613,2200],{"id":2199},[856,3615,2190,3616,2205,3618,2209,3620,2213,3622,2217,3624,2221],{},[865,3617,1800],{},[865,3619,2208],{},[865,3621,2212],{},[865,3623,2216],{},[865,3625,2220],{},[1394,3627,2225],{"id":2224},[856,3629,2190,3630,2193,3632,2233],{},[865,3631,1800],{},[865,3633,2232],{},[1394,3635,2237],{"id":2236},[856,3637,2190,3638,2242,3640,2245],{},[865,3639,1800],{},[865,3641,2169],{},[2247,3643,3644],{},[856,3645,3646,2253,3648,2256,3650,2259],{},[865,3647,2159],{},[865,3649,867],{},[865,3651,888],{},[918,3653],{},[921,3655,2265],{"id":2264},[856,3657,2268],{},[926,3659,3660,3678],{},[929,3661,3662],{},[932,3663,3664,3666,3670,3674],{},[935,3665,2277],{},[935,3667,3668],{},[865,3669,867],{},[935,3671,3672],{},[865,3673,871],{},[935,3675,3676],{},[865,3677,879],{},[948,3679,3680,3692,3706,3720,3734,3748,3762,3776],{},[932,3681,3682,3684,3686,3688],{},[953,3683,2296],{},[953,3685],{},[953,3687],{},[953,3689,3690],{},[860,3691,2305],{},[932,3693,3694,3696,3700,3704],{},[953,3695,99],{},[953,3697,3698],{},[860,3699,2305],{},[953,3701,3702],{},[860,3703,2305],{},[953,3705,2320],{},[932,3707,3708,3710,3714,3718],{},[953,3709,103],{},[953,3711,3712],{},[860,3713,2305],{},[953,3715,3716],{},[860,3717,2305],{},[953,3719,2320],{},[932,3721,3722,3724,3728,3732],{},[953,3723,2339],{},[953,3725,3726],{},[860,3727,2305],{},[953,3729,3730],{},[860,3731,2305],{},[953,3733,2320],{},[932,3735,3736,3738,3742,3746],{},[953,3737,2354],{},[953,3739,3740],{},[860,3741,2305],{},[953,3743,3744],{},[860,3745,2305],{},[953,3747,2320],{},[932,3749,3750,3752,3756,3760],{},[953,3751,1185],{},[953,3753,2371,3754],{},[860,3755,2374],{},[953,3757,2371,3758],{},[860,3759,2374],{},[953,3761,2320],{},[932,3763,3764,3766,3770,3774],{},[953,3765,107],{},[953,3767,3768],{},[860,3769,2389],{},[953,3771,3772],{},[860,3773,2389],{},[953,3775,2396],{},[932,3777,3778,3780,3784,3788],{},[953,3779,2401],{},[953,3781,3782],{},[860,3783,2389],{},[953,3785,3786],{},[860,3787,2389],{},[953,3789,2396],{},[856,3791,2414,3792,868,3794,2419,3796,2422],{},[865,3793,867],{},[865,3795,871],{},[865,3797,879],{},[918,3799],{},[921,3801,2428],{"id":2427},[926,3803,3804,3822],{},[929,3805,3806],{},[932,3807,3808,3810,3814,3818],{},[935,3809,2437],{},[935,3811,3812],{},[865,3813,867],{},[935,3815,3816],{},[865,3817,871],{},[935,3819,3820],{},[865,3821,879],{},[948,3823,3824,3836,3848,3866,3876,3886,3896],{},[932,3825,3826,3830,3832,3834],{},[953,3827,3828],{},[865,3829,888],{},[953,3831,2460],{},[953,3833,2460],{},[953,3835,2460],{},[932,3837,3838,3842,3844,3846],{},[953,3839,3840],{},[865,3841,892],{},[953,3843,2460],{},[953,3845,2460],{},[953,3847,2460],{},[932,3849,3850,3854,3858,3862],{},[953,3851,3852],{},[865,3853,1073],{},[953,3855,3856],{},[865,3857,1078],{},[953,3859,3860],{},[865,3861,1078],{},[953,3863,3864],{},[865,3865,2495],{},[932,3867,3868,3870,3872,3874],{},[953,3869,2500],{},[953,3871,2503],{},[953,3873,2503],{},[953,3875,2503],{},[932,3877,3878,3880,3882,3884],{},[953,3879,2512],{},[953,3881,2503],{},[953,3883,2503],{},[953,3885,2503],{},[932,3887,3888,3890,3892,3894],{},[953,3889,2523],{},[953,3891,2503],{},[953,3893,2503],{},[953,3895,2460],{},[932,3897,3898,3900,3902,3904],{},[953,3899,2534],{},[953,3901,2460],{},[953,3903,2503],{},[953,3905,2460],{},[1440,3907,3908],{},[856,3909,899,3910,2547,3912,2550,3914,2554,3916,2557],{},[865,3911,867],{},[865,3913,2112],{},[865,3915,2553],{},[882,3917,143],{"href":144},[2559,3919,2561],{},{"title":1230,"searchDepth":1277,"depth":1277,"links":3921},[3922,3923,3928,3934,3937,3940,3945,3946],{"id":923,"depth":1277,"text":924},{"id":1006,"depth":1277,"text":2566,"children":3924},[3925,3926,3927],{"id":1022,"depth":1294,"text":1023},{"id":1133,"depth":1294,"text":1134},{"id":1382,"depth":1294,"text":1383},{"id":1465,"depth":1277,"text":2572,"children":3929},[3930,3931,3932,3933],{"id":1478,"depth":1294,"text":1023},{"id":1580,"depth":1294,"text":946},{"id":1591,"depth":1294,"text":1134},{"id":1711,"depth":1294,"text":1383},{"id":1757,"depth":1277,"text":2579,"children":3935},[3936],{"id":1772,"depth":1294,"text":1773},{"id":1882,"depth":1277,"text":2583,"children":3938},[3939],{"id":1973,"depth":1294,"text":1974},{"id":2071,"depth":1277,"text":2072,"children":3941},[3942,3943,3944],{"id":2075,"depth":1294,"text":2078},{"id":2122,"depth":1294,"text":2125},{"id":2156,"depth":1294,"text":2159},{"id":2264,"depth":1277,"text":2265},{"id":2427,"depth":1277,"text":2428},{},{"title":155,"description":2593},1780436283374]