Guest Tokens

Guest tokens provide anonymous user sessions, enabling features like shopping carts, wishlists, or personalized content without requiring login.

Overview#

Guest tokens work transparently alongside user tokens:

Automatically created when no auth token exists
Stored in a separate cookie from user tokens
Seamlessly upgraded to user tokens on login
Configurable credentials for your backend

Configuration#

Enable guest tokens in your proxy:

TypeScript

Backend Setup#

Your backend needs a guest authentication endpoint:

Endpoint#

Expected Response#

JSON

Custom Response Format#

If your backend uses a different format:

TypeScript

How Guest Tokens Work#

Creation Flow#

Token Priority#

When both tokens exist:

TypeScript

On login, the guest cookie is automatically cleared.

Detecting Guest Users#

In Proxy (afterAuth)#

TypeScript

In Server Components#

TypeScript

In Client Components#

TypeScript

Guest to User Upgrade#

When a guest user logs in:

TypeScript

Backend Considerations#

Your backend should handle guest-to-user data migration:

PHP

Guest Token Expiration#

Guest tokens typically have shorter lifespans:

TypeScript

When expired, a new guest token is automatically created.

Use Cases#

Shopping Cart#

TypeScript

Content Personalization#

TypeScript

Rate Limiting by Session#

TypeScript

Disabling Guest Tokens#

For apps that require login:

TypeScript

Security Considerations#

Separate Credentials#

Always use dedicated guest credentials:

.env

Limited Permissions#

Your backend should give guest tokens minimal permissions:

PHP

Don't Store Sensitive Data#

Guest sessions should not store:

Personal information
Payment details
Sensitive preferences

Instead, require login for sensitive operations.