There is NO DIFFERENCE between sending auth data to a server in the Authorization header (with a bearer token) vs sending it to the server using a cookie. See here – Eugen Konkov Oct 29 '18 at 12:32 The POST request is sent to the token endpoint, which you should retrieve from the Discovery document using the token_endpoint metadata … Cookies are usually set by a web-server using the response Set-Cookie HTTP-header. Exchange code for access token and ID token. The default Laravel JavaScript scaffolding includes an Axios instance, which will automatically use the encrypted XSRF-TOKEN cookie value to send an X-XSRF-TOKEN … In this case, the XSS impact is very minimal. All requests are sent without cookies (withCredentials = false by default) and I use JWT Bearer token for authentication by taking it from cookies in angular and placing to Authorization header (This technique is kind of what is described in CSRF Wiki page). Reduce risk. Even when you use token, the browser continue to send third party cookies to third party domain. It can be easily bypassed using the DOM, for example by creating a hidden