𝗪𝗲𝗯𝗦𝗼𝗰𝗸𝗲𝘁 𝗔𝘂𝘁𝗵: 𝗖𝗼𝗼𝗸𝗶𝗲𝘀 𝘃𝘀 𝗕𝗲𝗮𝗿𝗲𝗿 𝗧𝗼𝗸𝗲𝗻𝘀

𝗪𝗲𝗯𝗦𝗼𝗰𝗸𝗲𝘁 𝗔𝘂𝘁𝗵: 𝗖𝗼𝗼𝗸𝗶𝗲𝘀 𝘃𝘀 𝗕𝗲𝗮𝗿𝗲𝗿 𝗧𝗼𝗸𝗲𝗻𝘀

You build a real-time app. You need to handle authentication for WebSockets. It is harder than HTTP.

HTTP is simple. You use Bearer tokens in headers.

WebSockets are different. The browser API does not allow custom headers.

You might try these workarounds:

• Putting tokens in URLs. This leaks data in logs.
• Sending auth as the first message. This adds lag.
• Using subprotocols. This is a hack.

Cookies solve this.

Browsers send cookies automatically during the WebSocket handshake.

You write no client code for auth. The browser handles it.

The backend needs a change. You must parse the raw cookie header manually.

Verify the JWT. Close the connection if it fails.

Cookies remove friction. They keep tokens secure. Simple client code is worth the extra backend work.

Source: https://dev.to/nikhilsharma6/the-websocket-auth-problem-cookies-vs-bearer-tokens-4eel