Privacy
Cookie inventory
Last updated: 2026-05-17
Full inventory of cookies set when you visit apxlbs.com. We use ONLY strictly-necessary cookies — no consent banner is required for the cookies listed here under LGPD Art. 5 §III and the GDPR ePrivacy Directive functional exemption.
Companion reading: /privacy · /terms · /security.
Cookies we set
| Name | Type | Set when | Retention |
|---|---|---|---|
| __Host-authjs.session-token (prod) / authjs.session-token (dev) | Strictly necessary | On successful sign-in via magic link | Rolling 30-day max; deleted on sign-out |
| apxlbs_2fa | Strictly necessary | On successful TOTP / recovery code verification | 12 hours |
| authjs.csrf-token / __Host-authjs.csrf-token | Strictly necessary | On every visit to a sign-in / auth-handler route | Session-bound; deleted on browser close |
| authjs.callback-url / __Secure-authjs.callback-url | Strictly necessary | When the auth flow begins | Cleared after sign-in completes (max 24h) |
Per-cookie purpose
__Host-authjs.session-token (prod) / authjs.session-token (dev)
Authenticated session — maps to a sessions row in our database. Without it you cannot access /admin or /portal.
apxlbs_2fa
Marks the current session as 2FA-verified within the last 12 hours. HMAC-SHA256 signed; user-id bound; cannot be lifted to another session.
authjs.csrf-token / __Host-authjs.csrf-token
Anti-CSRF token used by Auth.js for sign-in/sign-out POST requests.
authjs.callback-url / __Secure-authjs.callback-url
Stores the URL to return to after sign-in completes.
Analytics — Vercel Web Analytics
We use Vercel Web Analytics on public pages. It is cookieless: it counts page views via short-lived in-memory tokens and rotates them every 24 hours, deriving no cross-session identity. No cookie is set by analytics.
What we don't use
- ▸ Advertising cookies
- ▸ Cross-site tracking pixels
- ▸ Behavioral profiling cookies
- ▸ Third-party social-network cookies (Facebook Pixel, LinkedIn Insight, etc.)
- ▸ Session-replay or fingerprinting cookies
How to clear or block
Your browser controls cookie storage. Clearing cookies for apxlbs.com will sign you out of /admin and /portal but has no effect on public marketing pages. Blocking strictly-necessary cookies will prevent sign-in entirely.