Auth0 Home Blog Docs

Store Auth0 JWT in httpOnly cookie


Hi there,

I have a GraphQL endpoint (express-apollo + prisma) that I am trying to secure with Auth0. I have a decoupled frontend app that needs to authenticate in order to be able to access the endpoint. For security reasons, I CANNOT (refuse to) store the JWT sent from Auth0 to the client anyplace except in an httpOnly secure cookie. I have yet to find a way to poke the Auth0 API into passing JWTs directly to customers as httpOnly secure cookies. As such, I suspect I need to have the client hit a /login and /register route on my server, so that the server can request the JWT directly from Auth0, then package it into a cookie to pass to the client.

I am experiencing some difficulty implementing this (currently I get a “failed to fetch user profile” error from Auth0 upon login attempt, so I wanted to reach out on here and see if someone can point me in the right direction as to which of the recommended “login flows” I should be using for this case.

On a side note, also wishing to provide some general feedback to Auth0 - I am left somewhat dumbfounded and disheartened that Auth0 recommends not storing JWTs in localstorage:

yet most of Auth0’s docs and tutorials use localstorage to set tokens received from Auth0, particularly when it comes to the auth flows recommended for decoupled front end applications. It is contradictory and Auth0 is most certainly not promoting security best practices in their tutorials. I’d appreciate hearing from someone at Auth0 on this seemingly problematic situation.

Thanks in advance

1 Like