Sessions
How customer tokens are stored and sent — memory, static, and cookie session stores.
A session store is how the SDK reads and writes the customer's bearer token. The right one depends on where your code runs.
interface SessionStore {
getToken(): string | undefined | Promise<string | undefined>;
setToken(token: string, expiresAt?: Date): void | Promise<void>;
clear(): void | Promise<void>;
}auth.verifyOtp() calls setToken() for you; auth.logout() calls clear().
Built-in stores
memorySession (default)
Keeps the token in a closure for the client's lifetime. Great for scripts and single-user contexts.
import { memorySession, createStorefrontClient } from "@usestorekit/sdk";
const client = createStorefrontClient({
baseURL,
storeKey,
session: memorySession(), // optional — this is the default
});A memorySession client holds one token. On a server handling many users,
never share one client across requests — create a client (and session) per user,
or you'll leak one customer's session to another.
staticSession
A read-only session for a known token. setToken/clear are no-ops — useful
when you already have a token and just want to make authenticated calls.
import { staticSession } from "@usestorekit/sdk";
const client = createStorefrontClient({
baseURL,
storeKey,
session: staticSession(knownToken),
});cookieSession (Next.js)
Stores the token in an httpOnly cookie. This is what the Next.js adapter uses under the hood, so you rarely construct it yourself.
import { cookieSession } from "@usestorekit/sdk/next";
const session = cookieSession(); // httpOnly, Secure in prod, SameSite=LaxCookie names
The Next.js adapter uses two cookies, override them via initStorekit({ cookies }):
import { DEFAULT_COOKIES } from "@usestorekit/sdk/next";
// { session: "sk_session", cart: "sk_cart" }
const storekit = initStorekit({
cookies: { session: "my_session", cart: "my_cart" },
});Server vs. browser, summarized
| Where the token lives | How it's sent | |
|---|---|---|
| Next.js server | httpOnly cookie (sk_session) | Authorization: Bearer added server-side |
| Browser | Not in JS — the same httpOnly cookie | Cookie auto-sent to your same-origin proxy |
| Core client | Your chosen SessionStore | Authorization: Bearer from the store |
The browser never holds the raw token — it can't be read by JavaScript or XSS.