Can I get the session token from a URL?
I'm using Authava in an embedded app and can't access cookies. Can I pass the session token via query params?
Anon User 6
asked 5/11/2025
1 Answer
Yes β Authava supports extracting a session token from the URL if your tenant has explicitly enabled it. This is useful in environments where cookies arenβt available (e.g. iframe embeds, mobile webviews).
π¨ Important Security Notice
We do not recommend using tokens in URLs unless absolutely necessary. URLs can:
- Be logged in browser history
- Be leaked via referrer headers
- Be visible to third-party analytics or logging tools
- Persist in shared links or screenshots
Use only in trusted environments where you control both the embedding app and the receiving iframe/page.
β How to Enable It
- Go to your domain settings via the Authava Dashboard
- Enable the
append_token_to_redirect_urlfeature - Save your settings β it will take effect immediately
π Example
If enabled, you can redirect users like this:
https://yourapp.com/?token=eyJhbGciOiJI...
The @authava/client library will detect the token parameter automatically and store it in localStorage for future session restoration.
This is especially useful when:
- Embedding Authava-protected apps in an iframe
- Working in environments where cookies are blocked or stripped
- Bootstrapping sessions without login flow
Ryan Hein
answered 5/11/2025
Your Answer
You need to be logged in to answer this question.
Sign in to Answer