@tredstone , the cookies names should be sAccessToken, sRefreshToken and sIdRefreshToken. There is also a header field called anti-csrf (if you have no disabled CSRF protection).