https://supabase.com/ logo
#help
Title
# help
j

joshcowan25

06/02/2022, 4:24 AM
When I get the session back (clientside), is the access token a security issue? Can I store it client side and send it to server when I need to (using setAuth on the server)? Is it a security issue to send it via query params? How secure it is?
n

Needle

06/02/2022, 4:24 AM
Hello @joshcowan25! This thread has been automatically created from your message in #843999948717555735 a few seconds ago. We have already mentioned the @User so that they can see your message and help you as soon as possible! Want to unsubscribe from this thread? Right-click the thread in Discord (or use the ``...`` menu) and select "Leave Thread" to unsubscribe from future updates. Want to change the title? Use the ``/title`` command! We have solved your problem? Click the button below to archive it.
j

Jason Creviston

06/02/2022, 5:42 AM
I store it in an httpOnly, secure cookie. Then pass it to the server-side for use with
setAuth()
as you've mentioned. You should not store it in client-side state management. I assume it shouldn't be sent in query params either, but I don't know for sure.
n

Needle

06/02/2022, 5:42 AM
joshcowan25 (2022-06-02)
j

joshcowan25

06/02/2022, 5:59 AM
How do you deal with the refresh token?
j

Jason Creviston

06/02/2022, 11:36 AM
I let the supabase client handle that. Not sure how it works though.