Cookies

OTPBase uses two cookies. That is the entire list. Both are first-party. Neither is used for advertising or analytics.

| Cookie | Purpose | When it's set | When it expires | |---|---|---|---| | otpbase_session | Keeps you logged in. The session ID is opaque; the actual session data lives server-side in Redis. | When you log in. | When you log out, or 30 days of inactivity, whichever is sooner. | | XSRF-TOKEN | Cross-site request forgery protection — required for any form you submit. Standard Laravel protection. | First page load. | When you close the tab. |

We do not use cookies for: advertising, analytics, A/B testing, behavioural profiling, third-party integrations of any kind. There are no Google Analytics, Facebook Pixel, Hotjar, or similar tools running on this site.

The reCAPTCHA script (loaded only on /login and /register) sets cookies in Google's domain — these are governed by Google's cookie policy and we have no visibility into them. If you object to that, the only mitigation we can offer is operating without reCAPTCHA, in which case we'd need to fall back to a slower email-confirmation flow on every login. Email support@otpbase.com if this matters to you.

Browser controls

Modern browsers let you block cookies entirely. If you block otpbase_session, you cannot stay logged in. If you block XSRF-TOKEN, forms will fail with a 419 error. Both are functional and required.

Changes

If we ever add a cookie, this page is updated and we email you 14 days before that cookie starts being set.