Token Storage
DO: Use httpOnly Cookies
Zalt's Next.js SDK automatically stores tokens in secure httpOnly cookies.
DON'T: Store in localStorage
localStorage is vulnerable to XSS attacks. Never store tokens there in production.
MFA Selection
| Method | Security | Recommendation |
|---|---|---|
| WebAuthn/Passkeys | ★★★★★ | Highly Recommended |
| TOTP (Authenticator) | ★★★★☆ | Recommended |
| SMS | ★★☆☆☆ | Use with caution (SS7 vulnerable) |
Error Handling
// ❌ Bad: Reveals information
throw new Error('User not found');
throw new Error('Invalid password');
// ✅ Good: Generic message
throw new AuthenticationError('Invalid credentials');
// Zalt SDK handles this automatically
try {
await zalt.login(email, password);
} catch (error) {
if (error instanceof AuthenticationError) {
// Same message for all auth failures
showError('Invalid email or password');
}
}