Session Cookie
The indexer’s REST API (/api/*) and WebSocket endpoint (/indexer-ws/ws) are gated by an HMAC-signed _idx_session cookie. The cookie is a transport-level gate — it’s orthogonal to SIWE authentication, which identifies the account. You need the cookie for every indexer request; authenticated endpoints need the cookie and SIWE credentials.
The cookie requirement does not apply to the rollup/sequencer API (/sequencer/*, /rollup/*) — see Exchange Transactions.
Priming the cookie
GET https://api.t.synchronicity.xyz/indexer/sessionReturns 307 + Set-Cookie: _idx_session=…. Call this before your first indexer request.
REST
The first request without a cookie receives a 307 redirect with Set-Cookie: _idx_session=…. Extract the cookie from the response, then replay the request with it.
// GET /session → extract _idx_session from Set-Cookie → send it on subsequent requests.
const res = await request(`${INDEXER}/session`);
const cookie = parseSetCookie(res.headers["set-cookie"]);
await request(`${INDEXER}/api/orderbooks`, { headers: { cookie } });WebSocket
A WebSocket upgrade can’t follow an HTTP redirect, so a missing or invalid cookie returns 403 at upgrade time. The 403 response carries a fresh _idx_session in Set-Cookie — capture it and reconnect.
// GET /session → extract cookie → open WS with it.
// On 403 at upgrade, read the fresh Set-Cookie and retry.
const res = await request(`${INDEXER}/session`);
const cookie = parseSetCookie(res.headers["set-cookie"]);
new WebSocket(WS_URL, { headers: { cookie } });Bypassed endpoints
The following endpoint does not require the cookie and is always reachable:
GET /status
Errors
| Status | Cause | Response |
|---|---|---|
307 | Missing cookie on REST request | Redirect to the original URL with Set-Cookie: _idx_session=… |
403 | Missing cookie on WS upgrade | Set-Cookie: _idx_session=… (fresh cookie — retry with it) |
403 | Tampered or expired cookie | Cleared cookie — re-prime via GET /session |