I am building an isomorphic application with next.js. However, I am confused about access token implementation. I am using the auth0js library.
When the browser takes over, I use [checkSession](https://auth0.github.io/auth0.js/global.html#checkSession)
to perform silent auth, the browser will request information from Auth0.
However, the checkSession
promise will return tokens in the result
variable.
This means that it’s possible for the user to open up chrome dev tools, and set a breakpoint in the client code and view the idToken
and accessToken
variables.
Does this mean that idToken
and accessToken
variables are “allowed” to be exposed through the browser?