user3211198 user3211198 - 8 months ago 54
Javascript Question

How to use access token that was saved as httpOnly cookie in authentication header?

upon authentication stormpath express sets access token as httpOnly cookie in browser but how can I get the access token from the cookie to put it in authorization header as

Authorization: Bearer ey..access_token
? The token worked when I manually did the request using curl.

Answer Source

The express-stormpath library uses http-only cookies by default, when you post to the /login route, as they are more secure (by preventing access from the JavaScript environment, they cannot be stolen by XSS attacks).

If you need to access the tokens from the JavaScript environment, you should make a post to the /oauth/token endpoint, and you will receive the tokens in the HTTP response body.

This workflow is described here: