Skip to main content

Handling session tokens

There are two modes ways in which you can use sessions with SuperTokens:

  • Using httpOnly cookies
  • Authorization bearer token.

Our frontend SDK uses httpOnly cookie based session for websites by default as it secures against tokens theft via XSS attacks. For other platform like mobile apps, we use a bearer token in the Authorization header by default. This setting can be changed as described in the token transfer section

If using our frontend SDK#

For Web#

success

No action required.

Our frontend SDK handles everything for you. You only need to make sure that you have called supertokens.init before making any network requests.

Our SDK adds interceptors to fetch and XHR (used by axios) to save and add session tokens from and to the request.

note

By default, our web SDKs use cookies to provide credentials.

For React-Native#

Our frontend SDK handles everything for you. You only need to make sure that you have added our network interceptors as shown below

Do you use axios on your frontend?
YesNo
note

By default our mobile SDKs use a bearer token in the Authorization header to provide credentials.

For Android#

Which library are you using for networking?
HttpURLConnectionOkhttp / Retrofit
note

By default our mobile SDKs use a bearer token in the Authorization header to provide credentials.

For iOS#

Which library are you using for networking?
URLSessionAlamofire
note

By default our mobile SDKs use a bearer token in the Authorization header to provide credentials.

For Flutter#

Which library are you using for networking?
httpDio
note

By default our mobile SDKs use a bearer token in the Authorization header to provide credentials.

If not using our frontend SDK#

caution

We highly recommend using our frontend SDK to handle session token management. It will save you a lot of time.

In this case, you will need to manually handle the tokens and session refreshing, and decide if you are going to use header or cookie-based sessions.

For browsers, we recommend cookies, while for mobile apps (or if you don't want to use the built-in cookie manager) you should use header-based sessions.

Which request authentication mode are you using?
CookieHeader (Authorization Bearer)