Skip to main content
important

This is a contributors guide and NOT a user guide. Please visit these docs if you are using or evaluating SuperTokens.

Token header names should follow header naming convention

Status

This is just a proposal so far, it hasn't been accepted and needs further discussion.

Status:
proposed
Deciders:
rishabhpoddar, porcellus
Proposed by:
porcellus
Created:
2022-10-25
Last updated:
2022-11-22

Context and Problem Statement#

We send access and refresh tokens through headers in header based auth mode. We need to decide how to name them

Considered Options#

  • Follow cookie names (sAccessToken, sRefreshToken) + Authorization header
  • Follow header naming convention (st-access-token, st-refresh-token) + Authorization header

Decision Outcome#

Follow header naming convention: s-access-token, s-refresh-token (BE -> FE)

Use Authorization header when making API calls (FE -> BE):

  • It'll contain the access token in general.
  • It'll contain the refresh token in refresh session calls.

Pros and Cons of the Options#

Follow cookie names (sAccessToken, sRefreshToken)#

  • Easier to communicate

    • Follow header naming convention (s-access-token, s-refresh-token)#

  • Follows header naming conventions
  • More explicit prefix
  • Separate documentation
    • Which frontend SDK do you use?
    supertokens-web-js / mobile
    supertokens-auth-react