Hello,
I’m working on a project with the following setup:
- Frontend: React application
- Middleware: Forge (NodeJS)
- Backend: Separate backend service
I’m looking for advice on how to securely store JWT tokens in this architecture. I prefer not to use session storage or local storage for storing tokens.
My main question is whether it is feasible to use HTTP-only cookies for token storage when working with the middleware. Can HTTP-only cookies be set and managed from the middleware, and if so, what is the recommended approach for implementing this?
Thank you!
@MarkMathiasz1,
Do you mean store the Forge Invocation Tokens, which happen to be JWT? Or is there some other kind of JWT token in your architecture? Why does the token need to be stored?
This is some other JWT. It is required for my backend. I need to attach it to every request, but the requests all come from the Jira Forge middleware.
I store the secret in the middleware.
So this is the current setup:
- The frontend requests a token from the middleware → the middleware creates a token using the getMyself endpoint + adds the secret → the frontend stores the token.
- In every invoke function connected to the backend, I attach this token.
So the data flow looks like this:
Frontend (data + token) → invoke → middleware fetch → backend returns data after token validation.
The only problem is that I need to store the token in sessionStorage.
This token is important for both authentication and authorization.
If I don’t store the token, I will have to call the getMyself endpoint and create a new token for every request."