Both the regular and refresh tokens should be returned as part of the login operation JSON response body and not as response headers.
The security problems related to token leaks (
FOLIO-2287 and FOLIO-2286) suggest that current design is prone to exploitation because the authentication headers are used both as request and response headers.
This is a breaking login API change and requires client (stripes and mod-user-bl) changes.
Additionally, as discussed in
FOLIO-2556 and in the #core-platform channel – there is a potential use-case to return the token as a cookie (Set-Cookie header) to allow for transparent handling of tokens in stripes (it's a good practice to prevent JS to access JWT tokens). This should be verified with StripesForce team.
and for the “cookie” transported version: