Django
TypeScript
A practical JWT auth playbook for Django with TypeScript SPAs Features JWT Header Access, Cookie Refresh
This guide documents a battle‑tested pattern for web apps where the frontend is rendered by Django templates (or any SPA) and calls a REST API secured by JWTs. It assumes mainstream web‑app threat models and focuses on staying resilient against XSS and CSRF while keeping the UX smooth. Jwt Auth Playbook — Django + Type Script (header Access, Cookie Refresh)
“Header Access, Cookie Refresh — A practical JWT auth playbook for Django + TypeScript SPAs.” It covers:
- Architecture & threat model
- Exact cookie/CORS/CSRF settings to use
- Backend endpoint contracts (login/refresh/logout)
- Frontend behavior (single-flight refresh, one-retry rule, per-tab storage)
- Security headers (CSP, etc.), ops hygiene, tests, pitfalls, and a print-ready checklist
1