> ## Documentation Index
> Fetch the complete documentation index at: https://docs.stateset.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Console Auth Flow

> Authentication modes and session cookies in StateSet Console.

# Console Auth Flow

StateSet Console supports multiple auth modes and issues a signed session cookie for protected routes.

## Supported Modes

* **Email/password**: proxied to Sandbox API login
* **API key**: validated locally in the console
* **Token refresh**: re-issues a session using an existing JWT
* **Dev login**: optional in non-production

## Session Cookies

* `session`: signed JWT containing `orgId` and `userId`
* `sandbox_session`: sandbox token used for Sandbox API calls
* `api_key`: stored API key for API-key auth

## Typical Flow

1. Client posts credentials to `/api/auth/login`.
2. Console validates via Sandbox API or local API key logic.
3. Console sets session cookies and returns user/org metadata.

## Related Documentation

* [Console Architecture](/stateset-console/architecture)
* [Console API Reference](/stateset-console/api-reference)
