Avoid storing tokens in cookies Hi there! I'm currently exploring an auth strategy for my monorepo, where I have an API in a nextjs app (it's currently working with next-auth but I'm a bit unhappy with that set up). My issue is that I not only make requests from the nextjs frontend but also from different domains (a chrome extension and outlook add-in in my case). https://stackoverflow.com/a/64664632/5608461 Is it possible to adapt supertokens so that it doesn't use cookies?

hey! So is the api domain that is being queried the same?

Yes

So then you can use cookies

I don't think I can use cookies on the chrome extension?

im not entirely sure. But i think you can

Not without some major dev drawbacks (requires https for latest browser versions, which is a pain on localhost from my experience).

yea fair

I'd be curious to see how the other projects solved this. I'm actually inclined to roll an own JWT approach.

So you can use us without cookies. SuperTokens is split into multiple "recipes" and we have a session recipe that handles session management via cookies. Each recipe has a set of functions that govern how it works. For example, the session recipe has createNewSession, verifySession, revokeSession etc... The default implementation of those set response cookies and read from request cookies. You can override these functions (think inheritance override) to instead set the response body and read from the request header. Furthermore, the session recipe also has functions to create a JWT with any payload which you can use to make your own tokens inside these functions. ------------ The above is one possible approach. Alternatively, you can use another method which requires you to add interceptors on the frontend and backend which will map the cookies to headers in the response / request. This will be slightly more complex, but in this case, you don't have to manually issue your own tokens and can take advantage of session features like rotating refresh tokens, update to access token payload, revoking of multiple sessions per user etc.. We even have a demo app for this: https://github.com/supertokens/supertokens-auth-react/tree/master/examples/with-localstorage

Thanks, that comes very close to what I had in mind. Great @rp

we don't yet 😦

I could've checked the github issues as well, it's listed there: https://github.com/supertokens/supertokens-core/issues/406#issuecomment-1102899784 tl;dr: soonish possible, but not documented/maintained yet

The SDK that comment refers will still take a few weeks at least

Okay, thanks a lot for the answers.

sounds good! Since you want to make your own auth with JWTs, you can just use supertokens for issuing the JWT - so you don't have to figure that stuff out.. 🙂