How to store JWT in Vue securely

Łukasz Holeczek Łukasz Holeczek
calendar Tuesday, December 2, 2025
#vue #jwt #security #storage #cookies

Storing JWT tokens securely in Vue applications is crucial for preventing XSS attacks and maintaining robust authentication security. As the creator of CoreUI with extensive Vue security experience since 2014, I’ve implemented secure token storage in numerous enterprise applications. The most secure approach uses httpOnly cookies for token storage combined with memory-based state management for temporary access. This method prevents JavaScript access to tokens while maintaining seamless authentication flow throughout the application.

Implement secure JWT storage using httpOnly cookies with a Pinia store for authentication state management.

// stores/auth.js
import { defineStore } from 'pinia'

export const useAuthStore = defineStore('auth', {
  state: () => ({
    user: null,
    isAuthenticated: false,
    accessToken: null // Stored in memory only
  }),

  actions: {
    async login(credentials) {
      try {
        const response = await fetch('/api/login', {
          method: 'POST',
          headers: { 'Content-Type': 'application/json' },
          body: JSON.stringify(credentials),
          credentials: 'include' // Include httpOnly cookies
        })

        if (response.ok) {
          const data = await response.json()
          // JWT stored in httpOnly cookie by server
          this.user = data.user
          this.isAuthenticated = true
          // Short-lived access token in memory
          this.accessToken = data.accessToken
        }
      } catch (error) {
        throw new Error('Login failed')
      }
    },

    async logout() {
      await fetch('/api/logout', {
        method: 'POST',
        credentials: 'include'
      })

      this.user = null
      this.isAuthenticated = false
      this.accessToken = null
    },

    async refreshToken() {
      try {
        const response = await fetch('/api/refresh', {
          method: 'POST',
          credentials: 'include'
        })

        if (response.ok) {
          const data = await response.json()
          this.accessToken = data.accessToken
          return true
        }
      } catch (error) {
        this.logout()
        return false
      }
    }
  }
})

This code implements secure JWT storage where refresh tokens are stored in httpOnly cookies (set by the server) and short-lived access tokens are kept in memory. The credentials: 'include' option ensures cookies are sent with requests. This approach prevents XSS attacks since JavaScript cannot access httpOnly cookies, while the memory-based access token provides performance benefits.

Best Practice Note:

This is the secure token storage pattern we implement in CoreUI Pro enterprise applications for maximum security. Always use HTTPS in production and implement proper CSRF protection when using cookie-based authentication to prevent security vulnerabilities.

Speed up your responsive apps and websites with fully-featured, ready-to-use open-source admin panel templates—free to use and built for efficiency.

Free Angular Admin Template
Angular
Free Bootstrap Admin Template
Bootstrap
Free React.js Admin Template
React Logo
React.js
Free Vue.js Admin Template
Vue.js

About the Author

Łukasz Holeczek

Łukasz Holeczek, Founder of CoreUI, is a seasoned Fullstack Developer and entrepreneur with over 25 years of experience. As the lead developer for all JavaScript, React.js, and Vue.js products at CoreUI, they specialize in creating open-source solutions that empower developers to build better and more accessible user interfaces.

With expertise in TypeScript, JavaScript, Node.js, and modern frameworks like React.js, Vue.js, and Next.js, Łukasz combines technical mastery with a passion for UI/UX design and accessibility. CoreUI’s mission is to provide developers with tools that enhance productivity while adhering to accessibility standards.

Łukasz shares its extensive knowledge through a blog with technical software development articles. It also advises enterprise companies on building solutions from A to Z. Through CoreUI, it offers professional services, technical support, and open-core products that help developers and businesses achieve their goals.

Learn more about CoreUI’s solutions and see how your business can benefit from working with us.
Subscribe to our newsletter
Get early information about new products, product updates and blog posts.
Maintaining Accessibility with React createPortal and aria-owns: A Complete Guide
Maintaining Accessibility with React createPortal and aria-owns: A Complete Guide
calendar Monday, August 4, 2025
The Best Bootstrap Alternative for Developers in 2025
The Best Bootstrap Alternative for Developers in 2025
calendar Tuesday, July 8, 2025
How to Hide Scrollbar with CSS
How to Hide Scrollbar with CSS
calendar Wednesday, May 8, 2024
How to Open All Links in New Tab Using JavaScript
How to Open All Links in New Tab Using JavaScript
calendar Thursday, June 20, 2024

Answers by CoreUI Core Team

How to render a list in React
How to set an item in localStorage in JavaScript
How to use rest parameters in JavaScript
How to read route parameters in Angular
How to curry a function in JavaScript
How to raise a number to a power in JavaScript