Cookie policy
SF Agent uses a minimal set of cookies strictly necessary to operate the platform. We do not use advertising, tracking, or analytics cookies.
Essential cookies
These cookies are required for the platform to function. They cannot be disabled without breaking core functionality.
| Cookie | Purpose | Duration |
|---|---|---|
| next-auth.session-token | Authenticates your session after sign-in. Contains an encrypted JWT with your user ID and role. | 8 hours |
| next-auth.csrf-token | Protects against cross-site request forgery (CSRF) attacks during authentication. | Session |
| next-auth.callback-url | Stores the page to redirect you to after sign-in. | Session |
Salesforce SSO cookies
When signing in via Salesforce SSO, temporary cookies are set during the OAuth exchange:
| Cookie | Purpose | Duration |
|---|---|---|
| sf_sso_state | CSRF protection for the Salesforce OAuth flow. | 10 min |
| sf_sso_pkce | PKCE code verifier for the Salesforce OAuth flow. | 10 min |
| sf_device_trust | Recognizes a previously verified browser so repeat sign-ins from the same device do not always need a fresh email OTP. | 30 days |
These SSO cookies are automatically deleted after the sign-in completes.
Third-party cookies
SF Agent does not set any third-party cookies. We do not use Google Analytics, Facebook Pixel, or any other tracking services.
Security
All cookies are set with HttpOnly, Secure, and a scoped SameSite policy in production. Session cookies use SameSite=Lax so Salesforce OAuth redirects can complete safely, while trusted-device cookies use SameSite=Strict. Mutating API requests still require origin validation.
Questions
If you have questions about our use of cookies, contact us at support@sfagent.dev.