Is Storing Access_Token in Server-Side Cookies a Best Practice for API Validation?

[zuko-firelord]

I am using Next.js 15 for the frontend and a Go backend. While reviewing the example of authorizer-nextjs, I noticed that the access_token is stored in a server-side cookie that can be use for validating API requests in middleware.

Is this approach secure and recommended?
If I decide not to store the access_token on server-side cookie, can I validate API requests using a session_token instead?

[zuko-firelord]

@lakhansamani

[lakhansamani]

@zuko-firelord yes u can also validate it using session_token, but make sure that cookie is present.

[zuko-firelord]

@lakhansamani i couldnt find any function in authorizer-go related to validating APIs using the session_token. could you let me know the name of the function?

[zuko-firelord]

i want to raise a PR for an example of authorizer-nextjs15 with middleware functionality and implement the backend authorize API. im not good at frontend stuff, but i'll give it a shot. Where should I push my code?

[lakhansamani]

@zuko-firelord thanks
you can create PR here: https://github.com/authorizerdev/examples

[zuko-firelord]

@zuko-firelord thanks you can create PR here: https://github.com/authorizerdev/examples

ive raised a pr...please cross-check that logics are correct, did it very short amt of time...pardon me for ui

[zuko-firelord]

@lakhansamani i couldnt find any function in authorizer-go related to validating APIs using the session_token. could you let me know the name of the function?

?

[lakhansamani]

@zuko-firelord there is API
https://docs.authorizer.dev/core/graphql-api#validate_session

However this needs cookie and token cannot be passed in request and will return new session for security reasons.