Authentication tokens are accessible to client-side JavaScript by default through non-HttpOnly cookies. For stronger security, you can store tokens in HttpOnly cookies, which are accessible only on the server side. This setup requires custom routes for refreshing tokens and logging out, using utilities from @crossmint/server-sdk. When initializing the server SDK, configure secure cookie options: 
import { createCrossmint, CrossmintAuth } from "@crossmint/server-sdk";

const crossmint = createCrossmint({ apiKey: process.env.SERVER_CROSSMINT_API_KEY });
const crossmintAuth = CrossmintAuth.from(crossmint, {
    cookieOptions: {
        httpOnly: true,
        secure: true, // Only send cookies over HTTPS
        domain: ".yourdomain.com", // Optional: specify cookie domain
    },
});
Note: The httpOnly flag only applies to the refresh token. The session JWT remains accessible to client-side JavaScript since it’s needed for API calls.

2. Custom Routes Implementation

Token Refresh Route

import { createCrossmint, CrossmintAuth } from "@crossmint/server-sdk";
import { NextRequest } from "next/server";

const crossmint = createCrossmint({ apiKey: process.env.SERVER_CROSSMINT_API_KEY! });
const crossmintAuth = CrossmintAuth.from(crossmint);

export async function POST(request: NextRequest) {
    return await crossmintAuth.handleCustomRefresh(request);
}

Logout Route

import { createCrossmint, CrossmintAuth } from "@crossmint/server-sdk";
import { NextRequest } from "next/server";

const crossmint = createCrossmint({ apiKey: process.env.SERVER_CROSSMINT_API_KEY! });
const crossmintAuth = CrossmintAuth.from(crossmint);

export async function POST(request: NextRequest) {
    return await crossmintAuth.logout(request);
}

3. Client Configuration

Configure the client SDK to use your custom routes: 
import { createCrossmint, CrossmintAuth } from "@crossmint/client-sdk-auth";

const crossmint = createCrossmint({ apiKey: process.env.NEXT_PUBLIC_CLIENT_CROSSMINT_API_KEY! });
const crossmintAuth = CrossmintAuth.from(crossmint, {
    refreshRoute: "/api/auth/refresh",
    logoutRoute: "/api/auth/logout"
});
Note: Depending on the framework you’re using, you might need to set the whole URL in the refreshRoute and logoutRoute options.