Hello,
I’m setting up Playwright end-to-end tests for our React SPA that uses @auth0/auth0-react. I’d like to keep cacheLocation on the recommended default (“memory”) per your token storage guidance ( Token Storage - Auth0 Docs ), which explicitly warns:
▎ If an attacker can achieve running JavaScript in the SPA using a cross-site scripting (XSS) attack, they can retrieve the tokens stored in local storage.
…and recommends in-memory storage as the most secure option. I want to honor that recommendation in our production build.
Yet, the examples I’m finding seem to rely on local storage for storing the token:
With cacheLocation=“memory”, the SDK has no tokens on a fresh page load, so it falls back to silent authentication via a hidden iframe to /authorize?prompt=none. In our test browser, this round-trip (~1–2s) loses the race against test assertions that immediately check for authenticated UI — the home dashboard renders empty before silent auth completes, and the test fails.
Could I get some proper guidance, please?