docs: update description of oidc cookie (#796)

charIeszhao · web-flow · commit 08d5b86bf6fa · 2024-11-03T09:23:07.000+08:00
diff --git a/docs/docs/references/openid-connect/signing-keys-rotation/README.mdx b/docs/docs/references/openid-connect/signing-keys-rotation/README.mdx
@@ -13,7 +13,7 @@ The signing keys are applied to the entire Logto instance (a Logto open-source i
 - **OIDC private key**: When initializing a Logto instance, a pair of public key and private key are automatically generated and are registered in the underlying OIDC provider. Thereby, when Logto issues a new JWT token (access token or ID token), the token is signed with the private key. In the meantime, any client application that receives a JWT token can use the paired public key to verify the token signature, in order to ensure the token is not tampered by any third-party. The private key is protected on the Logto server. The public key, however, as the name suggests, are public to everyone, and can be accessed through the `/oidc/jwks` interface of the OIDC endpoint.
   A signing key algorithm can be specified when generating the private key, and Logto uses EC (Elliptic Curve) algorithm by default. The admin users can change the default algorithm to RSA (Rivest–Shamir–Adleman) by rotating the private keys.
 
-- **OIDC cookie key**: When user initiate a sign-in or sign-up flow, an “OIDC session” will be created on the server, as well as a set of browser cookies. With the help of the cookies, the users do not have to provide the sign-in credentials every time they launch Logto or other client applications protected by Logto. This feature is called “auto consent” in Logto terminology. The OIDC cookie key is used to sign these browser cookies.
+- **OIDC cookie key**: When user initiate a sign-in or sign-up flow, an “OIDC session” will be created on the server, as well as a set of browser cookies. With these cookies, browser can request Logto Experience API to perform a series of interactions on behalf of the user, such as sign-in, sign-up, and reset password.
   However, unlike the JWT tokens, the cookies are only signed and verified by Logto OIDC service itself, asymmetric cryptography measures are not required. Thus we don’t have paired public keys for cookie signing keys, nor asymmetric encryption algorithms.
 
 ## Rotate signing keys from Console UI
