Authgear
HomeGet Started
Search…
Authgear Docs
Get Started
Choose your authentication approach
Token-based (Native mobile or Single-page app)
Cookie-based (Website or Single-page app)
Web SDK
React Native SDK
Flutter SDK
Xamarin SDK
Android SDK
iOS SDK
Backend Integration
tutorials
Single-Page App
Local Development Setup
Strategies
User, Identity and Authenticator
Passkeys
WhatsApp OTP Login
Social & Enterprise Identity Providers
Biometric login
Anonymous Users
Passwordless Login for Apple App Store Review
Ethereum & NFT
Integrate
Using SDK to call your application server
User Settings
User Profile
Reauthentication
How Authgear integrate with your applications
Single Sign-on on mobile devices
Force authentication on app launch
Account Deletion
Customize
Privacy Policy & Terms of Service Links
Branding in Auth UI
Custom domain
Custom Email Provider
Customer Support Link
Localization & UI Text
APIs
API for Client Applications (OIDC 2.0)
Admin APIs
Webhooks
Webhooks
Client App SDKs
Javascript SDK Reference
iOS SDK Reference
Android SDK Reference
Flutter SDK Reference
Xamarin SDK Reference
Deploy on your Cloud
Running locally with Docker
Deploy with Helm chart
Authenticating HTTP request with Nginx
Configurations
Security Concerns
Non-HTTP scheme redirect URI
Powered By GitBook
Choose your authentication approach
Decide how should the application requests be identified, either by access tokens or by cookies.
Authgear provides token-based or cookie-based authentication. You will need to decide which approach you are going to use before starting the setup.
​
Token-based
Cookie-based
Suitable for
mobile apps or single-page web applications
Websites in the same root domain (e.g. Server-side rendered applications)
Transport of session
Access Token in Authorization header
Session ID in Cookies

Token-based authentication

This approach is suitable for mobile apps or single-page web applications.
In Token-based authentication, Authgear returns the access token and refresh token to the client app after authentication.
The client SDK will automatically renew the access token with the refresh token for you, so you don't have to worry about it.
Your client app should call your backend with the access token in the Authorization header, and you can verify the access token by integrating Authgear with your backend. The HTTP requests can be authenticated by Forwarding to Authgear Resolver Endpoint or Validating JWT in your application server.
Request example:
> GET /api_path HTTP/1.1
> Host: yourdomain.com
> Authorization: Bearer <AUTHGEAR_ACCESS_TOKEN>

Cookie-based authentication

This approach is suitable for all types of websites, including server-side rendered applications.
In Cookie-based authentication, Authgear returns Set-Cookie headers and sets cookies to the browser. The cookies are HTTP only and share under the same root domains. So you will need to setup the custom domain for Authgear, such as identity.yourdomain.com.
In this setting, if you have multiple applications under yourdomain.com, all applications would share the same session cookie automatically. After that, you can verify the cookies by integrating Authgear with your backend. The HTTP requests must be authenticated by Forwarding to Authgear Resolver Endpoint.
Request example:
> GET /api_path HTTP/1.1
> Host: yourdomain.com
> cookie: session=<AUTHGEAR_SESSION_ID>
​
Previous
Authgear Docs
Next
Token-based (Native mobile or Single-page app)
Last modified 1yr ago
Copy link
On this page
Token-based authentication
Cookie-based authentication