Skip to main content

This is a contributors guide and NOT a user guide. Please visit these docs if you are using or evaluating SuperTokens.

Treat Authorization header as empty if it doesn't contain a SuperTokens token


This is just a proposal so far, it hasn't been accepted and needs further discussion.

rishabhpoddar, porcellus
Proposed by:

Context and Problem Statement#

People could try and call an API protected by verifySession with an access token from another provider (e.g.: during migration)

Considered Options#

  • Keep try refresh token
  • Return UNAUTHORISED without clearing cookies
  • Handle it as if it was not sent

Decision Outcome#

Handle it as if it was not sent, because:

  • Devs could try to attach an Authorization header meant for a different middleware - we can just use our own cookies if they exist
  • This is the way we handled things before adding header based auth - this way it can keep working the same for people who don't opt into using headers

This means:

  • We fall back to cookies if we detect the Authorization header contains anything that is not our accesstoken
  • If cookies don't exist we return TRY_REFRESH_TOKEN
  • If cookies exist we go through the usual validation steps
Looking for older versions of the documentation?
Which UI do you use?
Custom UI
Pre built UI