Skip to main content

This is a contributors guide and NOT a user guide. Please visit these docs if you are using or evaluating SuperTokens.

Auth-mode should be set to the configured preference


This is just a proposal so far, it hasn't been accepted and needs further discussion.

rishabhpoddar, porcellus
Proposed by:

Context and Problem Statement#

  • As per this decision active sessions can't change auth-methods even through refreshing.
  • As per this decision the backend ignores the contents of the auth-mode header in verifySession

Now we need to decide what to do if the preference set in the frontend config doesn't match the active session.

Considered Options#

  • Skip attaching the auth-mode to requests
  • Always send the auth-mode preference set in the config
  • Auth-mode should be set to the mode of the active session if present and the configured value otherwise

Decision Outcome#

Always send the auth-mode preference set in the config. Reasons:

  • We only use the auth-mode header to decide the token transfer method of new sessions
  • It signifies the preference of the frontend - doesn't mean that the backend will respect it
  • Since both getSession and refreshSession ignores it, it's safe to attach to every request
  • We should attach it to every request, because then this information will get to createNewSession in every case
Looking for older versions of the documentation?
Which UI do you use?
Custom UI
Pre built UI