FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    Why does the registration endpoint not set HTTPOnly Cookies with Refresh Token like the Login Endpoint?

    Scheduled Pinned Locked Moved
    Q&A
    2
    2
    329
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      nearat
      last edited by nearat

      I've noticed that for the registration endpoint when I try to create a user and registration https://fusionauth.io/docs/v1/tech/apis/registrations#create-a-user-and-registration-combined It returns the access and refresh token but they are not set as HTTPOnly cookies. Whereas when I login https://fusionauth.io/docs/v1/tech/apis/login#authenticate-a-user or using identity provider https://fusionauth.io/docs/v1/tech/apis/identity-providers/google#complete-the-google-login I get both the access and refresh token set as HTTPOnly cookies. So why does registration not have this? I want to be able to set my refresh token in a http only cookie after the user registers. In this case, would I need to make another request to the login end point right after registration to set a HTTPOnly cookie with the token? If that is the case, why am i getting the access and refresh token back from the registration call in the first place? Any insight will be greatly appreciated. Thanks!

      1 Reply Last reply Reply Quote 1
      • danD
        dan
        last edited by

        Are you using javascript in the browser to register the user? Or a server running node (or some other language). If the latter, you could send down an HttpOnly cookie based on the response of the registration.

        --
        FusionAuth - Auth for devs, built by devs.
        https://fusionauth.io

        1 Reply Last reply Reply Quote 0
        • First post
          Last post