Device Pairing

Secure device authentication

The HTTP-only cookie is a convenient fallback for full-page loads; it is replayable until you disable the device. For SPAs and fetch(), load /vpnless-client-auth.js and call VPNLessFetchAuth.install({ sameOriginOnly: true }) so every request sends a fresh timestamped session proof instead of relying on the cookie alone.