SuperTokens is an open source authentication solution offering features like: Different types of login: Email / password, Passwordless (OTP or Magic link based).

SuperTokens.com

Is there a way to have a hybrid scheme on how the access tokens are stored. In our case we have both our web app in nextjs and a chrome extension. For the web app I am fine with using cookies and it works well.

However, browser extensions don't really support cookies and the suggested metholodogy for storing credentials seems to be to use localstorage with a JWT. I see that super tokens supports JWT, but I don't want to switch our nextjs application to JWT too if possible. Can I change the type based on a header or some configuration?

hey <@486396618602709012> if you enable JWTs, that too requires a session to be stored in cookies for it to work.

What you can do, is to have two entirely separate modes of sessions:
- one is the default way we do it (for nextjs)
- one you can write your own that creates a JWT and send that in the response body of sign in.

You can do this by overriding the `createNewSession` and `getSession` recipe functions of the session recipe.

When making a request from the chrome extension, you can add some custom header indicating it's a chrome extension and then override the `createNewSession` function on the backend to check if this header is present. If it is, then you can create a JWT in that function and attach that to the response headers. Else, you can call the originalImplementation (for nextJS)

When overriding `getSession`, you can check if the input is a JWT authorisation bearer token. If it is, you can verify that using any JWT verification lib and return a session object. Else you can call the call the originalImplementation (for nextJS).

Docs that you might need for this:
- https://supertokens.com/docs/session/advanced-customizations/backend-functions-override/usage
- https://supertokens.com/docs/thirdpartyemailpassword/advanced-customizations/user-context

(Im not sure which recipe you are using, but the above one is for session + thirdpartyemailpassword)

Sweet this is the exact answer I was looking for

Cool. This might get a little complex to implement since we have no examples of this. But feel free to ask questions as you go along