JWT Token Cookies now the default

In the current pre-release v5.13.3+ (and next version of ServiceStack) we’re defaulting the JWT Auth Provider to use UseTokenCookie=true by default as it’s a the recommended configuration for JWTs since it uses the more secure option of storing JWTs in secure HTTP Only Secure cookies to protect against XSS attacks whilst retaining a simpler dev model since the stateless auth JWT Tokens are attached to HTTP Requests as cookies (just like normal sessions) which requires less dev effort to support as you can enable JWT on the server without needing to change any client code since its stateless JWT cookies are automatically attached to the authenticating HTTP client.

We’ve been able to further improve on JWT Auth with Refresh Token Cookies where the server now transparently refreshes bearer tokens when JWT Bearer Tokens expire. Previously auto refreshing Bearer Tokens with Refresh Tokens were limited to logic built into our Service Clients. By using Refresh Token Cookies that the server now uses to refresh expired JWT Tokens, this ability now extends transparently to all HTTP Clients.

If you want to keep JWT and Refresh Tokens returned in AuthenticateResponse dto body to be able to populate Bearer Tokens manually, you can revert to the previous default behavior with:

new JwtAuthProvider {
    UseTokenCookie = false
}