RegisterLogin
DocsPricing
RegisterLogin
  • Getting Started
  • Introduction
  • Quick Start
  • SDKs
  • React
  • TypeScript
  • Next.js
  • Express
  • NestJS
  • Python
  • API Reference
  • Support and Resources
  • FAQ
  • Contact Support
AuthSafe

Product

HighlightFeatureIntegrationPricingFAQ

Company

AboutBlogContactSitemap

Developer

DashboardDocumentation

Legal

Terms & ConditionsPrivacyComplianceShippingCancellation
© 2026 AuthSafe. All rights reserved.

We value your privacy

This website uses cookies for anonymous analytics to help us improve your experience. No personal information is stored or shared. You can allow or reject analytics tracking at any time. See our Privacy Policy.

We use cookies for anonymous analytics. No personal info is stored. See our Privacy Policy.

Session Management

Secure cookie-based session and token management for Express.js applications.

Overview

AuthSafe uses secure HTTP-only cookies to store authentication tokens. The session module provides utilities for managing these cookies and tokens:
  1. setAuthCookies() - Store tokens in cookies
  2. getAuthCookies() - Retrieve tokens from cookies
  3. clearAuthCookies() - Clear all auth cookies
  4. refreshTokens() - Refresh access tokens

Import

import {
  setAuthCookies,
  getAuthCookies,
  clearAuthCookies,
  refreshTokens,
} from 'authsafe-express';

Cookie Storage

Cookie Names

By default, cookies use the authsafe. prefix:
  • authsafe.id_token - ID token (JWT)
  • authsafe.access_token - Access token (JWT)
  • authsafe.refresh_token - Refresh token (opaque)
  • authsafe.expires_at - Expiration timestamp

Custom Prefix

initAuthSafe({
  // ...
  cookies: {
    prefix: 'myapp', // myapp.id_token, myapp.access_token, etc.
  },
});

Cookie Security

All cookies are set with:
  • httpOnly: true - Not accessible via JavaScript
  • secure: true - HTTPS only (production)
  • sameSite: 'lax' - CSRF protection
  • path: '/' - Available to all routes

setAuthCookies()

Store authentication tokens in secure cookies. 
function setAuthCookies(
  res: Response,
  tokens: AuthTokens,
  config: AuthSafeConfig,
): void;

Parameters

ParameterTypeDescription
resResponseExpress response object
tokensAuthTokensToken object with id_token, access_token, etc.
configAuthSafeConfigCookie configuration

Usage

import { setAuthCookies } from 'authsafe-express';

app.post('/auth/manual-login', async (req, res) => {
  // Exchange credentials for tokens
  const tokens = await exchangeCredentials(req.body);

  // Store in cookies
  setAuthCookies(res, tokens, {
    clientId: process.env.AUTHSAFE_CLIENT_ID!,
    domain: process.env.AUTHSAFE_DOMAIN!,
  });

  res.json({ success: true });
});

AuthTokens Interface

interface AuthTokens {
  /** ID token (JWT) */
  idToken: string;

  /** Access token (JWT) */
  accessToken: string;

  /** Refresh token (opaque) */
  refreshToken?: string;

  /** Token expiration (Unix timestamp in seconds) */
  expiresAt: number;
}

getAuthCookies()

Retrieve authentication tokens from cookies. 
function getAuthCookies(
  req: Request,
  config: AuthSafeConfig,
): AuthTokens | null;

Usage

import { getAuthCookies } from 'authsafe-express';

app.get('/auth/check', (req, res) => {
  const tokens = getAuthCookies(req, {
    clientId: process.env.AUTHSAFE_CLIENT_ID!,
    domain: process.env.AUTHSAFE_DOMAIN!,
  });

  if (tokens) {
    res.json({ authenticated: true, expiresAt: tokens.expiresAt });
  } else {
    res.json({ authenticated: false });
  }
});

Returns

Returns AuthTokens object if all required cookies exist, otherwise null.

clearAuthCookies()

Clear all authentication cookies. 
function clearAuthCookies(res: Response, config: AuthSafeConfig): void;

Usage

import { clearAuthCookies } from 'authsafe-express';

app.post('/auth/clear-session', (req, res) => {
  clearAuthCookies(res, {
    clientId: process.env.AUTHSAFE_CLIENT_ID!,
    domain: process.env.AUTHSAFE_DOMAIN!,
  });

  res.json({ message: 'Session cleared' });
});

refreshTokens()

Refresh access and ID tokens using refresh token. 
async function refreshTokens(
  refreshToken: string,
  config: AuthSafeConfig,
): Promise<AuthTokens>;

Usage

import {
  refreshTokens,
  getAuthCookies,
  setAuthCookies,
} from 'authsafe-express';

app.post('/auth/manual-refresh', async (req, res) => {
  const tokens = getAuthCookies(req, {
    clientId: process.env.AUTHSAFE_CLIENT_ID!,
    domain: process.env.AUTHSAFE_DOMAIN!,
  });

  if (!tokens?.refreshToken) {
    return res.status(401).json({ error: 'No refresh token' });
  }

  try {
    const newTokens = await refreshTokens(tokens.refreshToken, {
      clientId: process.env.AUTHSAFE_CLIENT_ID!,
      clientSecret: process.env.AUTHSAFE_CLIENT_SECRET!,
      domain: process.env.AUTHSAFE_DOMAIN!,
    });

    setAuthCookies(res, newTokens, {
      clientId: process.env.AUTHSAFE_CLIENT_ID!,
      domain: process.env.AUTHSAFE_DOMAIN!,
    });

    res.json({ success: true });
  } catch (error) {
    res.status(401).json({ error: 'Refresh failed' });
  }
});
Client Secret Required
Token refresh requires clientSecret for authentication.

Complete Examples

Custom Token Storage

import {
  getAuthCookies,
  setAuthCookies,
  clearAuthCookies,
} from 'authsafe-express';

const authConfig = {
  clientId: process.env.AUTHSAFE_CLIENT_ID!,
  clientSecret: process.env.AUTHSAFE_CLIENT_SECRET!,
  domain: process.env.AUTHSAFE_DOMAIN!,
};

// Store tokens after manual authentication
app.post('/auth/custom-login', async (req, res) => {
  const tokens = await customAuthFlow(req.body);

  setAuthCookies(res, tokens, authConfig);
  res.json({ success: true });
});

// Check session status
app.get('/auth/status', (req, res) => {
  const tokens = getAuthCookies(req, authConfig);

  res.json({
    authenticated: !!tokens,
    expiresAt: tokens?.expiresAt,
  });
});

// Clear session
app.post('/auth/clear', (req, res) => {
  clearAuthCookies(res, authConfig);
  res.json({ message: 'Session cleared' });
});

Automatic Token Refresh

import {
  getAuthCookies,
  refreshTokens,
  setAuthCookies,
} from 'authsafe-express';
import { isTokenExpired, shouldRefreshToken } from 'authsafe-express';

async function autoRefreshMiddleware(req: any, res: any, next: any) {
  const tokens = getAuthCookies(req, authConfig);

  if (!tokens) {
    return next();
  }

  // Check if token needs refresh (expires in < 5 minutes)
  if (shouldRefreshToken(tokens.expiresAt) && tokens.refreshToken) {
    try {
      const newTokens = await refreshTokens(tokens.refreshToken, authConfig);
      setAuthCookies(res, newTokens, authConfig);
    } catch (error) {
      console.error('Auto-refresh failed:', error);
      clearAuthCookies(res, authConfig);
    }
  }

  next();
}

// Apply to all routes
app.use(autoRefreshMiddleware);

Session Expiration Check

import { getAuthCookies } from 'authsafe-express';
import { isTokenExpired } from 'authsafe-express';

app.get('/api/data', (req, res) => {
  const tokens = getAuthCookies(req, authConfig);

  if (!tokens || isTokenExpired(tokens.expiresAt)) {
    return res.status(401).json({
      error: 'Session expired',
      redirect: '/auth/signin',
    });
  }

  res.json({ data: getData() });
});

Cookie Configuration

Production Settings

initAuthSafe({
  clientId: process.env.AUTHSAFE_CLIENT_ID!,
  clientSecret: process.env.AUTHSAFE_CLIENT_SECRET!,
  domain: process.env.AUTHSAFE_DOMAIN!,
  cookies: {
    prefix: 'authsafe',
    secure: true, // HTTPS only
    sameSite: 'lax', // CSRF protection
    domain: '.myapp.com', // Share across subdomains
  },
  session: {
    maxAge: 7 * 24 * 60 * 60, // 7 days
  },
});

Development Settings

initAuthSafe({
  clientId: process.env.AUTHSAFE_CLIENT_ID!,
  clientSecret: process.env.AUTHSAFE_CLIENT_SECRET!,
  domain: process.env.AUTHSAFE_DOMAIN!,
  cookies: {
    secure: false, // Allow HTTP in development
    sameSite: 'lax',
  },
  session: {
    maxAge: 24 * 60 * 60, // 24 hours
  },
});

Security Best Practices

  1. Always use HTTPS in production - Required for secure cookies
  2. Set httpOnly flag - Prevent XSS attacks (enabled by default)
  3. Use sameSite attribute - CSRF protection (enabled by default)
  4. Set appropriate maxAge - Balance security and UX
  5. Never expose tokens in URLs - Use cookies only
  6. Implement token refresh - Keep sessions alive securely
  7. Clear cookies on logout - Prevent session reuse

CORS Configuration

For cross-origin requests, enable credentials: 
import cors from 'cors';

app.use(
  cors({
    origin: 'https://yourfrontend.com',
    credentials: true, // Allow cookies
  }),
);
Client-side: 
fetch('https://api.yourapp.com/auth/status', {
  credentials: 'include', // Send cookies
});

Troubleshooting

Cookies Not Set

Ensure cookie-parser is applied before auth routes: 
app.use(cookieParser()); // ✅ Before routes

app.get('/auth/callback', handleCallback);

Cookies Not Sent

Check CORS configuration and credentials: 
// Server
app.use(
  cors({
    origin: 'https://frontend.com',
    credentials: true,
  }),
);

// Client
fetch('/api/data', { credentials: 'include' });

Secure Cookie Error in Development

Disable secure cookies for local development: 
cookies: {
  secure: process.env.NODE_ENV === 'production',
}

Cookie Domain Mismatch

Ensure domain includes leading dot for subdomains: 
// ✅ Correct - works for api.app.com and www.app.com
cookies: {
  domain: '.app.com';
}

// ❌ Wrong - only works for exact domain
cookies: {
  domain: 'app.com';
}

Related

  • Setup - Cookie configuration
  • Middleware - Using sessions in routes
  • Route Handlers - Automatic cookie management
  • JWT Utilities - Token verification