Handling session tokens
There are two modes ways in which you can use sessions with SuperTokens:
- Using
httpOnly
cookies - Authorization bearer token.
Our frontend SDK uses httpOnly
cookie based session for websites by default as it secures against tokens theft via XSS attacks. For other platform like mobile apps, we use a bearer token in the Authorization header by default. This setting can be changed as described in the token transfer section
#
If using our frontend SDK#
For Websuccess
No action required.
Our frontend SDK handles everything for you. You only need to make sure that you have called supertokens.init
before making any network requests.
Our SDK adds interceptors to fetch
and XHR
(used by axios
) to save and add session tokens from and to the request.
note
By default, our web SDKs use cookies to provide credentials.
#
For React-NativeOur frontend SDK handles everything for you. You only need to make sure that you have added our network interceptors as shown below
note
By default our mobile SDKs use a bearer token in the Authorization header to provide credentials.
#
For Androidnote
By default our mobile SDKs use a bearer token in the Authorization header to provide credentials.
#
For iOSnote
By default our mobile SDKs use a bearer token in the Authorization header to provide credentials.
#
If not using our frontend SDKcaution
We highly recommend using our frontend SDK to handle session token management. It will save you a lot of time.
In this case, you will need to manually handle the tokens and session refreshing, and decide if you are going to use header or cookie-based sessions.
For browsers, we recommend cookies, while for mobile apps (or if you don't want to use the built-in cookie manager) you should use header-based sessions.