Access Token Confusion

I am building an isomorphic application with next.js. However, I am confused about access token implementation. I am using the auth0js library.

When the browser takes over, I use [checkSession](https://auth0.github.io/auth0.js/global.html#checkSession) to perform silent auth, the browser will request information from Auth0.

However, the checkSession promise will return tokens in the result variable.

This means that it’s possible for the user to open up chrome dev tools, and set a breakpoint in the client code and view the idToken and accessToken variables.

Does this mean that idToken and accessToken variables are “allowed” to be exposed through the browser?

Hey there!

Sorry for such huge delay in response! We’re doing our best in providing you with best developer support experience out there, but sometimes our bandwidth is not enough comparing to the number of incoming questions.

Wanted to reach out to know if you still require further assistance?