Introduction

Dynamic can now be configured to set a secure, HttpOnly cookie that can be used for authenticating with Dynamic’s backend. This will contain a minified version of our JWT token. This feature would also allow your site’s end users to sign in on one subdomain and go to another subdomain without that end user needing to log in again using the same Dynamic environment ID.

Approach

Dynamic will require the setup of a custom hostname. This is a subdomain that you own, but pointed by DNS CNAME to Dynamic’s API. This will allow Dynamic’s backend to set secure, HttpOnly cookies on your domain. For example, if your Dynamic-powered site is https://app.example.io, the custom hostname you could use is https://auth.example.io. This would allow your users to sign in with Dynamic on https://app.example.io, receive an HttpOnly secure cookie for .example.io. This cookie can then be used on any subdomain ending with .example.io, such as https://marketplace.example.io and https://shop.example.io.

Steps

The following steps would be required to properly set up cookie-based authentication.
  1. Go to the dashbaord security page and configure a custom domain.
  2. Provide us with a subdomain you intend to use. We need this so we can set a first party cookie on your behalf on our backend. Suggestion here is to prefix with auth. For instance for example.io, you can potentially use auth.example.io.
  3. Follow the instructions to set up DNS. There should be three DNS records: 2 TXT records for site and certificate verification, and 1 CNAME record to proxy the custom subdomain of your choice.
  4. Note: In sandbox, we will also attempt to set the cookie from the SDK frontend. This will ensure continued support for local development and other preview environments.
  5. Once DNS is validated, update the apiBaseUrl prop in DynamicContextProvider settings. For example:
<DynamicContextProvider
    settings={{
        apiBaseUrl: 'https://auth.example.io/api/v0', // this should start with your new custom base domain
        environmentId: DYNAMIC_ENVIRONMENT_ID,
        walletConnectors: [EthereumWalletConnectors],
    }}
>
    ...
</DynamicContextProvider>
  1. Enable the cookies toggle. When this is enabled in live, Dynamic WILL NO LONGER return a JWT to store in local storage. The auth token will only be set on a cookie.