Cookie-based
Browser sends cookies during SSE request. Works with same-origin. SameSite=Lax lets cross-site GET (SSE is GET). Simplest.
Advertisement
Query-string token
new EventSource('/stream?token=' + jwt);Token in URL. Downside: logged, cacheable. Use short-lived tokens.
Advertisement
First-message auth doesn't work
SSE is unidirectional. Client can't send an auth message back. Auth must happen at handshake time.