Descope

Overview

Descope is an authentication-as-a-service platform that provides no-code and SDK-based tools for building login and identity verification flows. It competes with Auth0, Clerk, and Frontegg in the developer-facing authentication infrastructure market. Descope deploys scripts on pages where user authentication is required, handling the complete identity verification lifecycle from initial login through session maintenance and re-authentication.

What This Script Does

Descope scripts load on login, registration, and protected pages of web applications. Client-side behavior includes:

Authentication component rendering: Descope's SDK renders login and registration UI components — including password fields, magic link interfaces, social login buttons, and passkey prompts. These components may load as embedded flows within the application or as hosted page components served from Descope's infrastructure.

Session token storage: After successful authentication, Descope issues session tokens (JWTs) that are stored in browser cookies or local storage. Session cookies are typically HttpOnly and Secure, preventing JavaScript access for security reasons. The token expiry depends on the application's session configuration.

Refresh token management: Descope manages session refresh flows, transparently exchanging short-lived access tokens for new ones without requiring the user to re-authenticate. Refresh token cookies may persist for longer periods (days to weeks) depending on configuration.

MFA and step-up authentication: Descope handles multi-factor authentication flows including TOTP, SMS OTP, email magic links, and WebAuthn/passkeys. Verification requests are made to Descope's API servers.

SSO flows: For enterprise SSO, Descope handles SAML and OIDC protocol exchanges, including browser redirects to enterprise identity providers and token parsing on return.

Telemetry: Descope may collect SDK usage telemetry including authentication event types and error rates for platform reliability monitoring. This telemetry does not include credential data.

Consent & Compliance

GDPR and ePrivacy Directive: Descope's session and refresh token cookies are strictly necessary for delivering the authenticated application service. Users explicitly initiate authentication and cannot access the application without these mechanisms. The ePrivacy Directive exempts technically necessary cookies from consent requirements. Under GDPR, authentication processing is lawful under contract performance (Article 6(1)(b)). Any telemetry data Descope collects for platform operations is processed under legitimate interests. Operators must include Descope as a data processor in their records of processing activities and execute a Data Processing Agreement.

CCPA/CPRA: Authentication credentials and session token data are personal information under CCPA. Descope processes this data as a service provider; this does not constitute a sale or sharing of personal information provided a compliant service provider agreement is in place.

Consent category: essential and functional (mixed). Authentication cookies are essential. Functional components such as user preferences or extended session management may cross into functional territory.

Should You Block This Without Consent?

No.

Descope provides authentication infrastructure that is technically necessary for the application to function for logged-in users. Blocking Descope scripts would prevent users from signing in, break session management, and make authenticated features entirely inaccessible. Authentication infrastructure is exempt from cookie consent requirements under the ePrivacy Directive's necessity exemption.