Search icon
Strapi plugin logo for Auth Cookie

Auth Cookie

Syncs JWT auth tokens into cookies for Strapi v5

Install now
thumbnail for Auth Cookie

Auth Cookie (Strapi v5)

Plugin that mirrors the JWT issued by Users & Permissions into cookies and reuses it in subsequent requests. Includes settings in the Strapi dashboard and signature verification to detect tampered tokens.

What it does

  • Sends the JWT in the access_token cookie upon login, registration, reset, or OAuth.
  • Generates the signed access_token.sig cookie via HMAC using Strapi's secret.
  • Injects Authorization: Bearer <token> into every incoming request if the signature is valid.
  • Clears both cookies when the plugin is disabled or an invalid signature is detected.

Installation

npm install @growy/strapi-plugin-auth-cookie
# either
yarn add @growy/strapi-plugin-auth-cookie

Basic configuration

config/plugins.js file:

1module.exports = () => ({
2  'auth-cookie': {
3    enabled: true,
4    config: {
5      enabled: true,
6      cookieName: 'access_token',
7      signatureCookieName: 'access_token.sig',
8      signatureEnabled: true,
9      signatureHttpOnly: true,
10      path: '/',
11      domain: null,
12      secure: false,
13      httpOnly: true,
14      sameSite: 'lax',
15      maxAge: null,
16    },
17  },
18});

After modifying the configuration, run npm run build and restart Strapi. Settings can also be managed from Admin → Settings → Auth Cookie.

Available Options

  • enabled: Enables cookie mirroring.
  • cookieName: Name of the JWT in the cookie.
  • signatureEnabled: Enables the signature cookie; disable it only if you cannot access the JWT secret.
  • signatureCookieName: Name of the signature cookie.
  • signatureHttpOnly: Controls whether the signature is accessible from JavaScript (it is recommended to leave it set to true).
  • path, domain: Cookie scope.
  • secure, httpOnly, sameSite: Security attributes.
  • maxAge: Duration in milliseconds (null = session cookie).

Production Checklist

  1. Configure CORS in config/middlewares.js to allow your frontend and enable credentials: true:
1module.exports = [
2  {
3    name: 'strapi::cors',
4    config: {
5      origin: ['https://app.example.com'],
6      credentials: true,
7    },
8  },
9];
  1. Set url and proxy: true in config/server.js if you're using a CDN or a proxy (Nginx, Cloudflare).
  2. Use SameSite: 'none' and secure: true when the frontend and API are on different domains.
  3. Set the domain to .your-domain.com if you're sharing cookies across subdomains.

Frontend Example

1await fetch(`${import.meta.env.VITE_STRAPI_URL}/api/auth/local`, {
2  method: "POST",
3  credentials: "include",
4  headers: { "Content-Type": "application/json" },
5  body: JSON.stringify({ identifier, password }),
6});

The plugin will add the Authorization header to subsequent requests as long as access_token and access_token.sig are still valid.

License

MIT

Install now

npm install @growy/strapi-plugin-auth-cookie

Install now

STATS

No GitHub star yet9 weekly downloads

Last updated

60 days ago

Strapi Version

5.0.0 and above

Author

github profile image for Zahir El Isaac by growy AI
Zahir El Isaac by growy AI

Useful links

npmback arrowGitHubback arrow
Report an issue

Create your own plugin

Check out the available plugin resources that will help you to develop your plugin or provider and get it listed on the marketplace.

Get started
Need help building a plugin?