Anonymous Sessions using Node SDKs

I am attempting to use anonymous sessions with the Node SDK but I have simply no idea how to persist the session to a cookie, pass it to the session client, etc. The returned session object from account.createAnonymousSession doesn't include a secret parameter like the other authentication methods do to be stored in a cookie.

Curiously, I tested how anonymous sessions worked in the browser SDK (since there is no manual session management involved) and I found that the lack of a secret parameter is the same. However, the session cookie comes directly from the request via a Set-Cookie header. I don't know how to intercept this header from the call in the server SDK to be able to store the session secret since the library does not make it accessible from what I can tell.

One of my thoughts was to manually make an API call from the Node side and proxying the Set-Cookie to the client, but it seems like there should be a better way to do this.

account.createAnonymousSession() returns the following object. I have changed the value of some of the fields containing PII.

Any help would be much appreciated!

TypeScript

{
    "$id": "696c035d336054320f10",
    "$createdAt": "2026-01-17T21:47:09.220+00:00",
    "$updatedAt": "2026-01-17T21:47:09.220+00:00",
    "userId": "696c035d27ec559cbc5e",
    "expire": "2027-01-17T21:47:09.210+00:00",
    "provider": "anonymous",
    "providerUid": "",
    "providerAccessToken": "",
    "providerAccessTokenExpiry": "",
    "providerRefreshToken": "",
    "ip": "",
    "osCode": "",
    "osName": "",
    "osVersion": "",
    "clientType": "browser",
    "clientCode": "CH",
    "clientName": "Chrome",
    "clientVersion": "143.0",
    "clientEngine": "Blink",
    "clientEngineVersion": "143.0.0.0",
    "deviceName": "",
    "deviceBrand": "",
    "deviceModel": "",
    "countryCode": "",
    "countryName": "",
    "current": true,
    "factors": [
        "anonymous"
    ],
    "secret": "",
    "mfaUpdatedAt": ""
}

TL;DR

Anonymous sessions using Node SDKs are causing issues as the SDK cannot persist them, which seems to be a limitation. To solve this, an API key needs to be used to receive the secret in the payload, which was missing in the implementation. Remember to set the API key to get the secret.

The output above is from the browser but the secret field of the object being an empty string is consistent across both SDKs.

Bump. Still facing this issue.

Hey! can you share the code file where you're getting this error?

TypeScript

const anonymousSession = await client.account.createAnonymousSession();
console.log(anonymousSession)

The console output is the following:

TypeScript

{
  '$id': '69716357af82718ae17e',
  '$createdAt': '2026-01-21T23:37:59.737+00:00',
  '$updatedAt': '2026-01-21T23:37:59.737+00:00',
  userId: '69716357a470fcc5ff82',
  expire: '2027-01-21T23:37:59.718+00:00',
  provider: 'anonymous',
  providerUid: '',
  providerAccessToken: '',
  providerAccessTokenExpiry: '',
  providerRefreshToken: '',
  ip: 'XXX.XXX.XXX.XXX', // redacted
  osCode: 'MAC',
  osName: 'Mac',
  osVersion: '',
  clientType: '',
  clientCode: '',
  clientName: '',
  clientVersion: '',
  clientEngine: '',
  clientEngineVersion: '',
  deviceName: 'desktop',
  deviceBrand: 'Apple',
  deviceModel: '',
  countryCode: 'us',
  countryName: 'United States',
  current: true,
  factors: [ 'anonymous' ],
  secret: '',
  mfaUpdatedAt: ''
}

My simple implementation is this, using sveltekit, hooks, and the node SDK. On the first visit, the $id property of the returned anonymous session is stored to the 'session' cookie since I don't know what other field to put there since secret is just an empty string. On subsequent visits, the application recognizes that the session cookie is present and attempts to call the .setSession method with its value. However, attempting to get the current account from the client just returns undefined (existing user found undefined is printed on these visits).

TypeScript

import { APPWRITE_ENDPOINT, APPWRITE_PROJECT_ID } from '$env/static/private';
import { adminClient, CustomClient } from '$lib/server/appwrite';
import { type Handle } from '@sveltejs/kit';
import { Client } from 'node-appwrite';

export const handle: Handle = async ({ event, resolve }) => {
    const sessionClient = new Client().setEndpoint(APPWRITE_ENDPOINT).setProject(APPWRITE_PROJECT_ID);
    const client = new CustomClient(sessionClient);

    const sessionId = event.cookies.get('session');

    if (sessionId) {
        client.client.setSession(sessionId);
        event.locals.user = await client.account.get().catch(() => null);
        console.log('existing user found', event.locals.user?.$id);
    } else {
        const anonymousSession = await client.account.createAnonymousSession();
        client.client.setSession(anonymousSession.$id);
        event.cookies.set('session', anonymousSession.$id, {
            httpOnly: true,
            secure: true,
            sameSite: 'lax',
            path: '/',
            expires: new Date(anonymousSession.expire)
        });
        event.locals.user = await client.account.get().catch(() => null);
    }

    return await resolve(event);
};

This seems to be the Node SDK issue itself as you can’t persist anonymous sessions via the SDK. I guess it works only in browser or via manual HTTP proxy.

interesting, looks like the api should return a secret parameter but it doesnt seem to be doing so in case of anonymous session, can you please create a github issue for this so we can track it?