Skip to main content

This is a contributors guide and NOT a user guide. Please visit these docs if you are using or evaluating SuperTokens.

Store tokens (access and refresh) in cookies in header based auth mode


This is just a proposal so far, it hasn't been accepted and needs further discussion.

rishabhpoddar, porcellus
Proposed by:

Context and Problem Statement#

In header based auth mode we have to decide where to store our tokens on the frontend.

Considered Options#

  • Cookies
  • Localstorage (or other similar)

Decision Outcome#

Use cookies, the disadvantage of no sharing between subdomains is huge.

Pros and Cons of the Options#


  • Consistent with front-token
  • Overriding all token storage can be done by just overriding cookies
  • Sent to the frontend server (minor)
  • Cleared in Safari after 7 days of inactivity (Source)
  • Local storage#

  • Very simple & easy to override
  • During development removing a session would require clearing both localstorage and cookies
  • No way of sharing between subdomains
  • Inconsistent or requires changing the front-token storage
  • Cleared in Safari after 7 days of inactivity (Source)
  • Looking for older versions of the documentation?
    Which UI do you use?
    Custom UI
    Pre built UI