Skip to content
BEAD

HTTP Cookie Builder & Parser

Construct or decode Set-Cookie headers with SameSite, Secure, HttpOnly, and prefix validation.

Set-Cookie header
Set-Cookie: session=abc123; Path=/; Max-Age=86400; Secure; HttpOnly; SameSite=Lax
</>Use this tool programmaticallycurl · JavaScript · MCP

Same tool, callable from any HTTP client or from Claude (via MCP). Anonymous: 100 req/day per IP. Sign up for 1,000 req/day.

curl
curl https://api.b-e-a-d.com/tools/cookie-builder/run \
  -H "Content-Type: application/json" \
  -d '{
  "action": "build",
  "name": "example",
  "value": "a",
  "path": "/",
  "secure": false,
  "httpOnly": false
}'
JavaScript (fetch)
const res = await fetch("https://api.b-e-a-d.com/tools/cookie-builder/run", {
  method: "POST",
  headers: { "Content-Type": "application/json" },
  body: JSON.stringify({
  "action": "build",
  "name": "example",
  "value": "a",
  "path": "/",
  "secure": false,
  "httpOnly": false
}),
});
const data = await res.json();
console.log(data.result);
MCP (Claude Desktop / Claude Code)
# In Claude Desktop / Claude Code, add to your MCP config:
{
  "mcpServers": {
    "bead": {
      "command": "npx",
      "args": ["-y", "mcp-remote", "https://mcp.b-e-a-d.com"]
    }
  }
}

# Then ask Claude to call:
mcp__bead__bead_cookie_builder

Full reference: developer docs · OpenAPI spec

SameSite

Lax is sent on top-level navigations only — the modern default.Strict never crosses sites, even via clicks from another origin. None allows cross-site sends but requires Secure.

Host- and Secure- prefixes

A cookie named __Host-id must set Secure, no Domain, and Path=/ — browsers reject it otherwise. __Secure- just requires Secure. Both are belt-and-braces against subdomain takeover.

You might also like