Cookie Disclosure for Third-Party Developers
What cookies IoTMan sets during OAuth2 flows, and how to disclose them to your users.
If you use IoTMan OAuth2 to authenticate end-users of your application, those users are temporarily redirected to iotman.io during sign-in. IoTMan sets cookies on iotman.io during this flow. You must inform your users about these cookies in your application's privacy policy.
Cookies set by IoTMan during OAuth2 flows
| Cookie | Purpose | Expires |
|---|---|---|
oauth_session | Identifies the user during the consent step | 30 days |
_oauth_return | Remembers OAuth2 parameters during the login redirect | 10 minutes |
All cookies are HttpOnly and Secure. They are not accessible to your application's JavaScript and are scoped to the iotman.io domain only.
What you must disclose to your users
Your application's privacy policy should include a statement such as:
Authentication is handled by IoTMan (iotman.io). During sign-in, IoTMan sets session cookies on
iotman.ioto maintain your authentication state. These cookies are strictly necessary for the service to function. See IoTMan's Privacy Policy for details.
At the point of login
Add a short notice near your "Sign in with IoTMan" button or link:
By signing in, session cookies will be set on
iotman.io. Learn more
This ensures users are informed at the point where cookies are set, satisfying the ePrivacy Directive disclosure requirement.
No consent banner needed
All cookies set by IoTMan are strictly necessary for authentication to function. Under ePrivacy Directive Art. 5(3), strictly necessary cookies are exempt from the opt-in requirement. You do not need a cookie consent banner for these cookies — disclosure is sufficient.