upon authentication stormpath express sets access token as httpOnly cookie in browser but how can I get the access token from the cookie to put it in authorization header as
Authorization: Bearer ey..access_token
The express-stormpath library uses http-only cookies by default, when you post to the
/oauth/token endpoint, and you will receive the tokens in the HTTP response body.
This workflow is described here: