Session and security cookies

Clerk session cookies are httpOnly, Secure, and SameSite=Strict.

AIVORAX also issues a double-submit CSRF cookie so client forms can echo a token in a custom header for all state-mutating requests.

Integration session cookies are encrypted server-side before being stored and are never exposed to client JavaScript.