Intelliverse

SSO & session broker

One account across the Intelliverse: the parent-domain session cookie and the first-party session broker.

Sign in once, stay signed in on every first-party app. In production the httpOnly ivr_session cookie is scoped to the parent domain .intelli-verse-x.ai, so every first-party subdomain sends it to the router automatically. The cookie is httpOnly, secure, and SameSite=Lax — sibling apps never read or parse it themselves.

The session broker endpoint

Sibling apps resolve the signed-in user by calling the broker with credentials. CORS is an exact-match allowlist of first-party origins (plus single-label https://<label>.intelli-verse-x.ai subdomains) — no wildcard reflection, never plain http, never lookalike registrable domains.

GET/api/auth/session
JavaScript
// From any first-party origin (e.g. https://quizverse.intelli-verse-x.ai):
const res = await fetch("https://router.intelli-verse-x.ai/api/auth/session", {
  credentials: "include", // sends the parent-domain ivr_session cookie
});
const session = await res.json(); // { user: { ... } } or { user: null }

Important

admin.intelli-verse-x.ai is intentionally excluded from the allowlist — the admin app is a separate OTP auth island by design and never trusts the consumer session cookie.

Signed-in hint cookie

A non-httpOnly hint cookie, ivx_signed_in, is set alongside the session so sibling UIs can render "signed in" states without a broker round-trip. Its value is always the literal 1 — never tokens or identity. Treat it as a display hint only; authorization always goes through the broker.

Did this doc help you?
Help us improve these docs