Skip to content
Back

Anonymous Sessions using Node SDKs

  • 0
  • 3
  • Auth
cerq
17 Jan, 2026, 21:48

I am attempting to use anonymous sessions with the Node SDK but I have simply no idea how to persist the session to a cookie, pass it to the session client, etc. The returned session object from account.createAnonymousSession doesn't include a secret parameter like the other authentication methods do to be stored in a cookie.

Curiously, I tested how anonymous sessions worked in the browser SDK (since there is no manual session management involved) and I found that the lack of a secret parameter is the same. However, the session cookie comes directly from the request via a Set-Cookie header. I don't know how to intercept this header from the call in the server SDK to be able to store the session secret since the library does not make it accessible from what I can tell.

One of my thoughts was to manually make an API call from the Node side and proxying the Set-Cookie to the client, but it seems like there should be a better way to do this.

account.createAnonymousSession() returns the following object. I have changed the value of some of the fields containing PII.

Any help would be much appreciated!

TypeScript
{
    "$id": "696c035d336054320f10",
    "$createdAt": "2026-01-17T21:47:09.220+00:00",
    "$updatedAt": "2026-01-17T21:47:09.220+00:00",
    "userId": "696c035d27ec559cbc5e",
    "expire": "2027-01-17T21:47:09.210+00:00",
    "provider": "anonymous",
    "providerUid": "",
    "providerAccessToken": "",
    "providerAccessTokenExpiry": "",
    "providerRefreshToken": "",
    "ip": "",
    "osCode": "",
    "osName": "",
    "osVersion": "",
    "clientType": "browser",
    "clientCode": "CH",
    "clientName": "Chrome",
    "clientVersion": "143.0",
    "clientEngine": "Blink",
    "clientEngineVersion": "143.0.0.0",
    "deviceName": "",
    "deviceBrand": "",
    "deviceModel": "",
    "countryCode": "",
    "countryName": "",
    "current": true,
    "factors": [
        "anonymous"
    ],
    "secret": "",
    "mfaUpdatedAt": ""
}
TL;DR
Anonymous sessions using Node SDKs are causing issues as the SDK cannot persist them, which seems to be a limitation. To solve this, an API key needs to be used to receive the secret in the payload, which was missing in the implementation. Remember to set the API key to get the secret.
18 Jan, 2026, 17:04

The output above is from the browser but the secret field of the object being an empty string is consistent across both SDKs.

21 Jan, 2026, 03:05

Bump. Still facing this issue.

21 Jan, 2026, 04:28

Hey! can you share the code file where you're getting this error?

21 Jan, 2026, 23:39
TypeScript
const anonymousSession = await client.account.createAnonymousSession();
console.log(anonymousSession)

The console output is the following:

TypeScript
{
  '$id': '69716357af82718ae17e',
  '$createdAt': '2026-01-21T23:37:59.737+00:00',
  '$updatedAt': '2026-01-21T23:37:59.737+00:00',
  userId: '69716357a470fcc5ff82',
  expire: '2027-01-21T23:37:59.718+00:00',
  provider: 'anonymous',
  providerUid: '',
  providerAccessToken: '',
  providerAccessTokenExpiry: '',
  providerRefreshToken: '',
  ip: 'XXX.XXX.XXX.XXX', // redacted
  osCode: 'MAC',
  osName: 'Mac',
  osVersion: '',
  clientType: '',
  clientCode: '',
  clientName: '',
  clientVersion: '',
  clientEngine: '',
  clientEngineVersion: '',
  deviceName: 'desktop',
  deviceBrand: 'Apple',
  deviceModel: '',
  countryCode: 'us',
  countryName: 'United States',
  current: true,
  factors: [ 'anonymous' ],
  secret: '',
  mfaUpdatedAt: ''
}
21 Jan, 2026, 23:46

My simple implementation is this, using sveltekit, hooks, and the node SDK. On the first visit, the $id property of the returned anonymous session is stored to the 'session' cookie since I don't know what other field to put there since secret is just an empty string. On subsequent visits, the application recognizes that the session cookie is present and attempts to call the .setSession method with its value. However, attempting to get the current account from the client just returns undefined (existing user found undefined is printed on these visits).

TypeScript
import { APPWRITE_ENDPOINT, APPWRITE_PROJECT_ID } from '$env/static/private';
import { adminClient, CustomClient } from '$lib/server/appwrite';
import { type Handle } from '@sveltejs/kit';
import { Client } from 'node-appwrite';

export const handle: Handle = async ({ event, resolve }) => {
    const sessionClient = new Client().setEndpoint(APPWRITE_ENDPOINT).setProject(APPWRITE_PROJECT_ID);
    const client = new CustomClient(sessionClient);

    const sessionId = event.cookies.get('session');

    if (sessionId) {
        client.client.setSession(sessionId);
        event.locals.user = await client.account.get().catch(() => null);
        console.log('existing user found', event.locals.user?.$id);
    } else {
        const anonymousSession = await client.account.createAnonymousSession();
        client.client.setSession(anonymousSession.$id);
        event.cookies.set('session', anonymousSession.$id, {
            httpOnly: true,
            secure: true,
            sameSite: 'lax',
            path: '/',
            expires: new Date(anonymousSession.expire)
        });
        event.locals.user = await client.account.get().catch(() => null);
    }

    return await resolve(event);
};
22 Jan, 2026, 07:08

This seems to be the Node SDK issue itself as you can’t persist anonymous sessions via the SDK. I guess it works only in browser or via manual HTTP proxy.

23 Jan, 2026, 00:35

interesting, looks like the api should return a secret parameter but it doesnt seem to be doing so in case of anonymous session, can you please create a github issue for this so we can track it?

23 Jan, 2026, 02:21
23 Jan, 2026, 02:23

under appwrite/appwrite, doesnt look like sdk speciifc issue

23 Jan, 2026, 02:23

👍🏽

23 Jan, 2026, 05:31

<@464477495345938452> just a clarification, are you using an API key here?

23 Jan, 2026, 12:08

Nope, just a session client.

23 Jan, 2026, 12:11

you need to use an api key to get secret in payload

23 Jan, 2026, 12:48

Oh my gosh, I could’ve sworn I’ve done it this way before for email/password sessions. Is this documented? Thank you.

23 Jan, 2026, 15:28

yeah its pretty well documented, but no worries if you missed it. happened to me several times too 😄

Reply

Reply to this thread by joining our Discord

Reply on Discord

Need support?

Join our Discord

Get community support by joining our Discord server.

Join Discord

Get premium support

Join Appwrite Pro and get email support from our team.

Learn more