Cookies & session management
Stytch will automatically save the User's Session in two cookies:
- stytch_session that will contain the opaque session token returned from the API
- stytch_session_jwt that will contain the session JWT returned from the API
For example, if you load the SDK on https://app.mycoolsite.com it will set
- document.cookie = "stytch_session=secret-session; domain=app.mycoolsite.com; path=/; SameSite=Lax; Secure; max-age=whenever-it-expires"
- document.cookie = "stytch_session_jwt=eyJhxxx.xxx.xxx; domain=app.mycoolsite.com; path=/; SameSite=Lax; Secure; max-age=whenever-it-expires"
Cookie Configuration Options
The Stytch Client allows you to configure the following directives and values related to cookie management:
{
"cookieOptions": {
/**
* The name of the cookie containing the opaque Stytch session token.
* Defaults to `stytch_session`
*/
"opaqueTokenCookieName": "string",
/**
* The name of the cookie containing the opaque Stytch session token.
* Defaults to `stytch_session_jwt`
*/
"jwtCookieName": "string",
/**
* What HTTP paths the cookies should be available on.
* Equal to configuring the `;path=${}` param in the set-cookie directive.
* Defaults to unset.
*/
"path": "string",
/**
* What domain the cookies should be available on.
* Equal to configuring the `;domain=${}` param in the set-cookie directive.
* Requires setting availableToSubdomains to have any effect.
* Defaults to unset.
*/
"domain": "string",
/**
* Whether to make the cookies available to subdomains.
* When true, equivalent to configuring the `;domain=${window.location.host}` directive
* When false, equivalent to leaving the directive unset
* Defaults to false.
*/
"availableToSubdomains": "boolean"
}
}
To override the defaults, set the desired values in the cookieOptions and pass it as part of the optional second parameter object when initializing the Stytch Client.
import { StytchHeadlessClient } from "@stytch/vanilla-js"
const STYTCH_PUBLIC_TOKEN = 'YOUR_PUBLIC_TOKEN';
const stytchOptions = {
cookieOptions: {
opaqueTokenCookieName: "my_stytch_session",
jwtCookieName: "my_stytch_session_jwt",
path: "/",
availableToSubdomains: true,
domain: "app.example.com",
}
}
const stytchClient = new StytchHeadlessClient(STYTCH_PUBLIC_TOKEN, stytchOptions)
Authenticating sessions on your backend
Since the session is stored in the site's cookies, the browser will include these cookies in the request headers to your backend if they share a domain. For any protected requests, your backend should validate either the stytch_session or stytch_session_jwt before processing with the request. The session may be validated using any Backend SDK.
Validating the opaque session in Node.js / Express.
const express = require('express');
const cookieParser = require('cookie-parser');
const app = express();
app.use(cookieParser());
app.use(authenticateStytchSession);
const client = new stytch.Client({
project_id: process.env.STYTCH_PROJECT_ID,
secret: process.env.STYTCH_SECRET,
env: stytch.envs.test,
});
const authenticateStytchSession = (req, res, next) => {
return client.sessions.authenticate({
session_token: req.cookies['stytch_session'],
})
.then(session => {
req.stytchSession = session;
return next();
})
.catch(next)
};
Validating the JWT in Node.js / Express.
const express = require('express');
const cookieParser = require('cookie-parser');
const app = express();
app.use(cookieParser());
app.use(authenticateStytchSession);
const client = new stytch.Client({
project_id: process.env.STYTCH_PROJECT_ID,
secret: process.env.STYTCH_SECRET,
env: stytch.envs.test,
});
const authenticateStytchSession = (req, res, next) => {
return client.sessions.authenticateJwt(req.cookies['stytch_session_jwt'])
.then(session => {
req.stytchSession = session;
return next();
})
.catch(next)
};
Overwriting the SDK managed session
In certain cases you may need to manually override the Stytch Session managed by the frontend SDK with a Session available on your backend. A common reason would be when adding custom claims to a Session which is an action that can only be done server-side.
In order to override the SDK managed Session you will need to overwrite the the stytch_session and stytch_session_jwt browser cookies. This can be done by setting the cookies in the response headers from your backend, or by setting the values directly on document.cookie. Be sure to use the same cookie names and properties which are normally set by the SDK.
In most cases, the SDK will automatically detect the new values, and proceed as normal. However, if the SDK is not properly reacting to the updated Session you can force the SDK to refresh the session.
// Call session authentication without any parameters to refresh the session in the SDK
stytchClient.session.authenticate();