Cookie-based

Browser sends cookies during SSE request. Works with same-origin. SameSite=Lax lets cross-site GET (SSE is GET). Simplest.

Advertisement

Query-string token

new EventSource('/stream?token=' + jwt);

Token in URL. Downside: logged, cacheable. Use short-lived tokens.

Advertisement

First-message auth doesn't work

SSE is unidirectional. Client can't send an auth message back. Auth must happen at handshake time.