Parent-domain session cookie
Sign in once, stay signed in on every first-party app. In production the httpOnly ivr_session cookie is scoped to the parent domain .intelli-verse-x.ai, so every first-party subdomain sends it to the router automatically. The cookie is httpOnly, secure, and SameSite=Lax — sibling apps never read or parse it themselves.
The session broker endpoint
Sibling apps resolve the signed-in user by calling the broker with credentials. CORS is an exact-match allowlist of first-party origins (plus single-label https://<label>.intelli-verse-x.ai subdomains) — no wildcard reflection, never plain http, never lookalike registrable domains.
/api/auth/session// From any first-party origin (e.g. https://quizverse.intelli-verse-x.ai):
const res = await fetch("https://router.intelli-verse-x.ai/api/auth/session", {
credentials: "include", // sends the parent-domain ivr_session cookie
});
const session = await res.json(); // { user: { ... } } or { user: null }Important
admin.intelli-verse-x.ai is intentionally excluded from the allowlist — the admin app is a separate OTP auth island by design and never trusts the consumer session cookie.Signed-in hint cookie
A non-httpOnly hint cookie, ivx_signed_in, is set alongside the session so sibling UIs can render "signed in" states without a broker round-trip. Its value is always the literal 1 — never tokens or identity. Treat it as a display hint only; authorization always goes through the broker.