Get access token on the frontend
Hello everyone!
I'm playing with Better Auth using it to authenticate my app's user on Google. Everything is working smoothly but I noticed that there is a way for the user to get the access token issued by Google on the frontend by calling
await auth.api.getAccessToken((...).
I'm wondering if it is common practice to expose these tokens to the frontend.
Is there a risk of this token to get stolen somehow?3 Replies
yes, access tokens are short lived. We don't expose refresh tokens. That said you can disable it
Thank you!
Is there any recommended way to disable this endpoint server side?
Options | Better Auth
Better Auth configuration options reference.