Skip to main content
important

This is a contributors guide and NOT a user guide. Please visit these docs if you are using or evaluating SuperTokens.

Default to header based auth if not specified by the FE

Status

This is just a proposal so far, it hasn't been accepted and needs further discussion.

Status:
proposed
Deciders:
rishabhpoddar, porcellus
Proposed by:
porcellus
Created:
2022-10-25
Last updated:
2022-11-22

Context and Problem Statement#

We have to decide which auth mode to use if it's not specified by the FE during session creation.

Considered Options#

  • Header
  • Cookie
  • Cookie if rid is present, header otherwise

Decision Outcome#

Header

Pros and Cons of the Options#

Header#

  • Useful for curl, wget, and in situation where we have no SDK (e.g.: SSR, manual request)
  • Harder to use in Postman
  • Support for older SDKs?
  • If we have an updated SDK present all solutions work equally well

    • Cookie#

  • Cookies can be hard to use without a browser/our SDK
  • Supports older SDK versions naturally
  • If we have an updated SDK present all solutions work equally well

    • Cookie if rid is present, header otherwise#

  • Useful for curl, wget, etc.
  • Useful in situation where we have no SDK (e.g.: SSR, manual request)
  • Harder to use in Postman
  • Harder to communicate - seemingly unrelated rid header modifies this
  • Supports older SDKs
  • If we have an updated SDK present all solutions work equally well
    • Which frontend SDK do you use?
    supertokens-web-js / mobile
    supertokens-auth-react