@growy/strapi-plugin-auth-cookie
Advanced tools
Strapi v5 plugin to mirror JWT auth tokens into cookies
Plugin that mirrors the JWT issued by Users & Permissions into cookies and reuses it in subsequent requests. Includes settings in the Strapi dashboard and signature verification to detect tampered tokens.
access_token cookie upon login, registration, reset, or OAuth.access_token.sig cookie via HMAC using Strapi's secret.Authorization: Bearer <token> into every incoming request if the signature is valid.npm install @growy/strapi-plugin-auth-cookie
# either
yarn add @growy/strapi-plugin-auth-cookie
config/plugins.js file:
module.exports = () => ({
'auth-cookie': {
enabled: true,
config: {
enabled: true,
cookieName: 'access_token',
signatureCookieName: 'access_token.sig',
signatureEnabled: true,
signatureHttpOnly: true,
path: '/',
domain: null,
secure: false,
httpOnly: true,
sameSite: 'lax',
maxAge: null,
},
},
});
After modifying the configuration, run npm run build and restart Strapi. Settings can also be managed from Admin → Settings → Auth Cookie.
enabled: Enables cookie mirroring.cookieName: Name of the JWT in the cookie.signatureEnabled: Enables the signature cookie; disable it only if you cannot access the JWT secret.signatureCookieName: Name of the signature cookie.signatureHttpOnly: Controls whether the signature is accessible from JavaScript (it is recommended to leave it set to true).path, domain: Cookie scope.secure, httpOnly, sameSite: Security attributes.maxAge: Duration in milliseconds (null = session cookie).config/middlewares.js to allow your frontend and enable credentials: true:module.exports = [
{
name: 'strapi::cors',
config: {
origin: ['https://app.example.com'],
credentials: true,
},
},
];
url and proxy: true in config/server.js if you're using a CDN or a proxy (Nginx, Cloudflare).SameSite: 'none' and secure: true when the frontend and API are on different domains.domain to .your-domain.com if you're sharing cookies across subdomains.await fetch(`${import.meta.env.VITE_STRAPI_URL}/api/auth/local`, {
method: "POST",
credentials: "include",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({ identifier, password }),
});
The plugin will add the Authorization header to subsequent requests as long as access_token and access_token.sig are still valid.
MIT
FAQs
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Axios compromise traced to social engineering, showing how attacks on maintainers can bypass controls and expose the broader software supply chain.
Security News
Node.js has paused its bug bounty program after funding ended, removing payouts for vulnerability reports but keeping its security process unchanged.
Security News
The Axios compromise shows how time-dependent dependency resolution makes exposure harder to detect and contain.