> ## Documentation Index
> Fetch the complete documentation index at: https://api.docs.flare.io/llms.txt
> Use this file to discover all available pages before exploring further.
# Monitor Leaked Cookies for Your Domain
This endpoint requires access to Account & Session Takeover Prevention (ASTP).
Please contact your Customer Success Manager for more details.
Flare's
[Leaked Cookies API ](/api-reference/astp/endpoints/post-cookies-search)
allows for searching in cookies matching your domains found in stealer logs.
Integrators may use this API to identify and invalidate sessions before they are taken over.
This will guide will explain how to use the Leaked Cookies API to monitor for newly found cookies and invalidate
their session.
## Prequisites
* Cookie monitoring must be enabled for your tenant. This feature must be activated by Flare Support.
* Access to a mechanism by which you may verify a cookie's validity.
* Access to a mechanism by which you may invalidate a cookie.
## Steps
Use the `cookies/_search` endpoint to fetch one page of results.
If `next` is missing from the response (or is null), this means that you viewed all pages.
Loop over the response's items to verify the cookie's validity and invalidate the cookie.
Wait one second to avoid going over the API rate limit. Then, go back to step 1 to fetch the next page.
## Full Project Template
Flare maintains a full project example on Github:
* [https://github.com/Flared/cookie-monitoring](https://github.com/Flared/cookie-monitoring)
It can serve as a starting point to implement automated session revocation in your organization.
## End-to-End API Example
This is an end-to-end example in Python.
```python theme={null}
import json
from datetime import datetime
from datetime import timedelta
from datetime import timezone
from flareio import FlareApiClient
from flareio.ratelimit import Limiter
api_client = FlareApiClient.from_env()
limiter_default = Limiter.from_seconds(0.25)
last_from: str | None = None
fetched_pages: int = 0
fetch_full_event: bool = False
for resp in api_client.scroll(
method="POST",
url="/astp/v2/cookies/_search",
json={
"from": last_from,
"domain": "scatterholt.com",
"paths": ["/", "/login"],
"names": ["session"],
"expires_after": datetime.now(
tz=timezone.utc,
).isoformat(), # Search for cookies not yet expired
"imported_after": (
datetime.now(tz=timezone.utc) - timedelta(days=90)
).isoformat(),
},
):
limiter_default.tick()
resp_data: dict = resp.json()
fetched_pages += 1
num_results: int = len(resp_data["items"])
print(f"Fetched page {fetched_pages} with {num_results} results...")
# Save the last "next" value.
last_from = resp_data.get("next") or last_from
# Iterate on cookies in the current page
for cookie in resp_data["items"]:
# Invalidate the cookie here...
print(f"Cookie Value: {cookie['value']}")
# Optionally fetch more information about how it was leaked...
if fetch_full_event:
limiter_default.tick()
full_event = api_client.get(
url="/firework/v2/activities/",
params={
"uid": cookie["event_uid"],
},
).json()["activity"]
malware_information = full_event["data"]["malware_information"]
print(f"Malware Info: {json.dumps(malware_information)}")
user_infomation = full_event["data"]["user_information"]
print(f"User Info: {json.dumps(user_infomation)}")
print("--")
print(f"The next execution could resume using {last_from=}.")
```