Skip to main content

If you are using our backend SDK that is lesser than the following versions, please visit the older documentation link here.

Handling session tokens

There are two modes ways in which you can use sessions with SuperTokens:

  • Using httpOnly cookies
  • Authorization bearer token.

Our frontend SDK uses httpOnly cookie based session for websites by default as it secures against tokens theft via XSS attacks. For other platform like mobile apps, we use a bearer token in the Authorization header by default. This setting can be changed as described in the token transfer section

CAUTION

This guide only applies to scenarios which involve SuperTokens Session Access Tokens.

If you are implementing either, Unified Login or Microservice Authentication, features that make use of OAuth2 Access Tokens, please check the separate page that shows you how to verify those types of tokens.

If using our frontend SDK#

For Web#

success

No action required.

Our frontend SDK handles everything for you. You only need to make sure that you have called supertokens.init before making any network requests.

Our SDK adds interceptors to fetch and XHR (used by axios) to save and add session tokens from and to the request.

By default, our web SDKs use cookies to provide credentials.

CAUTION

This guide only applies to scenarios which involve SuperTokens Session Access Tokens.

If you are implementing either, Unified Login or Microservice Authentication, features that make use of OAuth2 Access Tokens, please check the separate page that shows you how to verify those types of tokens.

For React-Native#

Our frontend SDK handles everything for you. You only need to make sure that you have added our network interceptors as shown below

Do you use axios on your frontend?
YesNo
note

By default our mobile SDKs use a bearer token in the Authorization header to provide credentials.

For Android#

Which library are you using for networking?
HttpURLConnectionOkhttp / Retrofit
note

By default our mobile SDKs use a bearer token in the Authorization header to provide credentials.

For iOS#

Which library are you using for networking?
URLSessionAlamofire
note

By default our mobile SDKs use a bearer token in the Authorization header to provide credentials.

For Flutter#

Which library are you using for networking?
httpDio
note

By default our mobile SDKs use a bearer token in the Authorization header to provide credentials.

If not using our frontend SDK#

caution

We highly recommend using our frontend SDK to handle session token management. It will save you a lot of time.

In this case, you will need to manually handle the tokens and session refreshing, and decide if you are going to use header or cookie-based sessions.

For browsers, we recommend cookies, while for mobile apps (or if you don't want to use the built-in cookie manager) you should use header-based sessions.

Which request authentication mode are you using?
CookieHeader (Authorization Bearer)
Looking for older versions of the documentation?
Which UI do you use?
Custom UI
Pre built UI