When I get the session back (clientside), is the access token a security issue? Can I store it client side and send it to server when I need to (using setAuth on the server)? Is it a security issue to send it via query params? How secure it is?

Hello @joshcowan25! This thread has been automatically created from your message in #843999948717555735 a few seconds ago. We have already mentioned the @User so that they can see your message and help you as soon as possible! Want to unsubscribe from this thread? Right-click the thread in Discord (or use the ``...`` menu) and select "Leave Thread" to unsubscribe from future updates. Want to change the title? Use the ``/title`` command! We have solved your problem? Click the button below to archive it.

I store it in an httpOnly, secure cookie. Then pass it to the server-side for use with

setAuth()

as you've mentioned. You should not store it in client-side state management. I assume it shouldn't be sent in query params either, but I don't know for sure.

joshcowan25 (2022-06-02)

How do you deal with the refresh token?

I let the supabase client handle that. Not sure how it works though.