This is a contributors guide and NOT a user guide. Please visit these docs if you are using or evaluating SuperTokens.
This is just a proposal so far, it hasn't been accepted and needs further discussion.
- rishabhpoddar, porcellus
- Proposed by:
- Last updated:
We send access and refresh tokens through headers in header based auth mode. We need to decide how to name them
- Follow cookie names (sAccessToken, sRefreshToken) + Authorization header
- Follow header naming convention (st-access-token, st-refresh-token) + Authorization header
Follow header naming convention: s-access-token, s-refresh-token (BE -> FE)
Use Authorization header when making API calls (FE -> BE):
- It'll contain the access token in general.
- It'll contain the refresh token in refresh session calls.