Learn how to securely store Crossmint Auth cookies in your application
Authentication tokens are accessible to client-side JavaScript by default through non-HttpOnly cookies. For stronger security, you can store tokens in HttpOnly cookies, which are accessible only on the server side. This setup requires custom routes for refreshing tokens and logging out, using utilities from @crossmint/server-sdk.
When initializing the server SDK, configure secure cookie options:
Copy
Ask AI
import { createCrossmint, CrossmintAuth } from "@crossmint/server-sdk";const crossmint = createCrossmint({ apiKey: process.env.SERVER_CROSSMINT_API_KEY });const crossmintAuth = CrossmintAuth.from(crossmint, { cookieOptions: { httpOnly: true, secure: true, // Only send cookies over HTTPS domain: ".yourdomain.com", // Optional: specify cookie domain },});
Note: The httpOnly flag only applies to the refresh token. The session JWT remains accessible to client-side JavaScript since it’s needed for API calls.
Learn how to securely store Crossmint Auth cookies in your application
Authentication tokens are accessible to client-side JavaScript by default through non-HttpOnly cookies. For stronger security, you can store tokens in HttpOnly cookies, which are accessible only on the server side. This setup requires custom routes for refreshing tokens and logging out, using utilities from @crossmint/server-sdk.
When initializing the server SDK, configure secure cookie options:
Copy
Ask AI
import { createCrossmint, CrossmintAuth } from "@crossmint/server-sdk";const crossmint = createCrossmint({ apiKey: process.env.SERVER_CROSSMINT_API_KEY });const crossmintAuth = CrossmintAuth.from(crossmint, { cookieOptions: { httpOnly: true, secure: true, // Only send cookies over HTTPS domain: ".yourdomain.com", // Optional: specify cookie domain },});
Note: The httpOnly flag only applies to the refresh token. The session JWT remains accessible to client-side JavaScript since it’s needed for API calls.