This is a contributors guide and NOT a user guide. Please visit these docs if you are using or evaluating SuperTokens.
This is just a proposal so far, it hasn't been accepted and needs further discussion.
We have to decide which auth method (header or cookies) to use when creating/verifying/refreshing sessions for each request.
- Configured on the backend
- Configured on both
- Configured only on the frontend and sent along the request
- Preference set set on the frontend and controlled by the backend
Preference set on the frontend (and sent with request) and validated by the backend.
- By default the backend respects the preference, but can be configured to ignore it.
- configuration in two places
- Default on the backend will fit almost all use-cases)
- The configuration is not really duplicated