Where to store refresh token on WEB?

Hi team!
I’m asking this question, because there are no articles about storing tokens in browser.
Ok, we have cache, local/session storage, cookies. Cookies look like more secure storage with possibility to mark our tokens as secure, httpOnly, sameSite.

We have same storage for access and refresh token.
Is it normal or not to store both tokens in cookies with all flags?
(I didn’t find anything bad, but looks like I miss some cases)

Hi @httpnotonly,

Thanks for joining us in the Auth0 Community!

Did you get a chance to look at this doc:

The answer is going to depend on your framework.

Are you using a regular web app or SPA?


This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.