Aura
Sign inJoin Aura

Cookie Policy

Version 2026-05-03

Aura uses cookies and similar technologies (browser localStorage, sessionStorage) to provide and improve the Service. This page explains what we use, why, and how you can control them. For more on how we handle data overall, see the Privacy Policy.

What is a cookie

A cookie is a small piece of data stored on your device by your browser. Browsers send cookies back to the site that set them on subsequent requests. Aura also uses localStorage (similar but bigger and not sent automatically) for some preferences.

Categories we use

Strictly necessary (no consent required)

These are needed to deliver the Service you requested. We cannot turn them off.

  • __Secure-authjs.session-token — your sign-in session. HTTPS-only, HttpOnly, SameSite=Lax. Expires after session ends.
  • __Host-authjs.csrf-token — CSRF protection for sign-in flows.
  • __Secure-authjs.callback-url — Auth.js redirect target after sign-in.
  • aura.siwe_nonce — short-lived nonce for Sign-In With Ethereum, prevents replay.
  • aura.age_gate_passed_v1 (localStorage) — your 18+ confirmation. Without this, the age gate would re-prompt every page load.
  • aura.cookies_v1 (localStorage) — your cookie consent choice. Without this, we'd re-show the consent banner forever.

Analytics (optional, requires consent)

If you accept analytics, we use first-party usage events to understand which features are used. We do not use Google Analytics, Meta Pixel, or any third-party advertising tracker. Data stays on Aura servers.

  • Aggregated page-view counts and feature engagement.
  • Performance metrics (page load, errors).
  • Country-level geo (derived from IP, not stored as IP).

Advertising (we don't use these)

We do not use marketing cookies, retargeting pixels, or third-party advertising trackers. We don't sell or share your usage data with advertisers.

Managing your choices

  • From the consent banner: on first visit you choose "Necessary only" or "Accept all." The choice is stored in aura.cookies_v1.
  • To change your choice later: clear your localStorage (browser settings → Privacy → site data → Aura) and reload; the banner will reappear.
  • Browser settings: all major browsers let you block cookies globally or per-site. Note: blocking strictly necessary cookies will break sign-in.
  • Do Not Track: we honor DNT for analytics. If your browser sends DNT, we do not enable analytics regardless of your stated consent.

How long

  • Session cookies: until you sign out or close your browser, max 30 days.
  • CSRF/nonce cookies: minutes.
  • localStorage entries: until you clear them or 1 year, whichever comes first.
  • Server-side analytics: 12 months, then aggregated/discarded.

Third-party cookies

Some features rely on third parties whose own cookies may be set when you use them:

  • Google sign-in (during the Google OAuth flow only — Google sets its own cookies on accounts.google.com)
  • Coinbase Smart Wallet / OnchainKit (loaded only when you click connect)
  • Cloudflare R2 (CDN for media; sets a load-balancer cookie for performance)

These third parties have their own privacy and cookie policies. We do not embed any third-party advertising or social-tracking iframes.

Changes

We may update this Cookie Policy as we add or remove cookies. Material changes (new categories, new third parties) trigger a re-prompt of the consent banner.