Token Handler: The New BFF to Your Single Page Applications

2 min readOct 14, 2021
You can harden your SPA security with Token Handler

With the web constantly evolving, Single Page Applications have become a prevalent style of applications used on the frontend. It is explained by higher demands on user experience and infrastructure management, which SPAs are great at. However, handling the security of such apps can be challenging.

SPA Security Problem

In a traditional approach, a user’s access to a web application was controlled using a cookie-based session. In this setup, the frontend client uses cookies to authorize a user during calls to the backend.

Since SPAs has no dedicated backend at all, the user session cannot be kept in a cookie. Instead, access tokens are used to enable the SPA to call APIs on behalf of the authenticated user.

The shift from handling authorization with cookies to access tokens has some severe security implications, including the vulnerability to XSS attacks or access by malicious codes.


Currently, SPAs have no universal means of keeping access and refresh tokens secure from malicious code. The only way is to keep the tokens away from the browser which can be achieved by adding a backend component to handle tokens and issue secure cookies to the frontend — often referred to as a Backend for Frontend (BFF) approach.

The advanced of the common BFF design pattern is the Token Handler approach. In this extended form, the SPA’s OpenID Connect security is implemented in an API driven manner:

How Token Handler works — Curity

Using this approach, all communication from the SPA to the Authorization Server will now go through the token handler, and tokens will not reach the SPA at all. The token handler now issues session cookies to the SPA. Even though we’re dealing with a SPA, the security level is on par with a website with a backend.

Want to learn more about the Token Handler?

Here are some resources to help you:




Curity is the leading supplier of API-driven identity management, providing unified security for digital services. Visit or contact