Skip to content

Does MSAL Node support storing refresh tokens in HttpOnly cookies #7907

New issue
New issue
Open
Open
Does MSAL Node support storing refresh tokens in HttpOnly cookies#7907
Labels
Needs: Attention 👋Awaiting response from the MSAL.js teamconfidential-clientIssues regarding ConfidentialClientApplicationsdocumentationRelated to documentation.msal-nodeRelated to msal-node packagequestionCustomer is asking for a clarification, use case or information.
@Effos

Description

@Effos
Effos
opened on Jul 4, 2025

Core Library

MSAL Node (@azure/msal-node)

Wrapper Library

Not Applicable

Public or Confidential Client?

Confidential

Documentation Location

https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-node/docs/caching.md

Description

Hi team,

I've read through the MSAL Node caching documentation, but couldn't find anything specific about storing refresh tokens in cookies.

Many tutorials suggest storing the refresh token in a Secure, HttpOnly cookie (typically set by an API route), especially in setups that aim to remain serverless (e.g., using Vercel functions or similar).

Is this an approach that MSAL officially supports, or are there reasons it's discouraged? I understand there are always security considerations with token storage, but would appreciate any clarification or guidance on whether this is a supported pattern.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Needs: Attention 👋Awaiting response from the MSAL.js teamconfidential-clientIssues regarding ConfidentialClientApplicationsdocumentationRelated to documentation.msal-nodeRelated to msal-node packagequestionCustomer is asking for a clarification, use case or information.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions