I have a Next.js application and am using supabase authentication in my client side, following their doc. I noticed a cookie called “sb-*******-auth-token” which has a JWT int he format below. Exposing refresh token in a regular cookie (without setting as HTTPOnly) goes against my past experience.
The docs say that it’s fine, but I’m doubtful. Is anyone else in the same boat, or doing auth differently?
{
"access_token": "****",
"token_type": "bearer",
"expires_in": 3600,
"expires_at": 1734211318,
"refresh_token": "****",
"user": {
"id": "****",
"aud": "authenticated",
"role": "authenticated",
"email": "******",
"email_confirmed_at": "2024-12-04T19:47:58.123776Z",
"invited_at": "2024-12-04T19:45:50.18422Z",
"phone": "",
"confirmed_at": "2024-12-04T19:47:58.123776Z",
"last_sign_in_at": "2024-12-14T21:15:43.780684Z",
"app_metadata": {
"provider": "email",
"providers": [
"email"
]
},
"user_metadata": {},
"identities": [
{
"identity_id": "315f7706-1c6c-47e7-aefd-ab37fd194e3c",
"id": "c396d534-3d94-4efd-a4b6-dfbb38d6cc5e",
"user_id": "c396d534-3d94-4efd-a4b6-dfbb38d6cc5e",
"identity_data": {
"email": "*******",
"email_verified": false,
"phone_verified": false,
"sub": "*******"
},
"provider": "email",
"last_sign_in_at": "2024-12-04T19:45:50.18208Z",
"created_at": "2024-12-04T19:45:50.182131Z",
"updated_at": "2024-12-04T19:45:50.182131Z",
"email": "*******"
}
],
"created_at": "2024-12-04T19:45:50.179966Z",
"updated_at": "2024-12-14T21:20:58.987821Z",
"is_anonymous": false
}
}
I’ve tried following the App router integration docs for supabase, but am seeing refresh token exposed in the browser cookie.
New contributor
Kevin Wu is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
2