Custom trusted-device header name

Rename `nest_auth_device_trust` to match your app's conventions.

Default header name: nest_auth_device_trust. If you'd rather call it x-app-trust-token (or anything else), change it in three places — server, client, CORS.

Server

NestAuthModule.forRoot({
  mfa: {
    enabled: true,
    trustDeviceStorageName: 'x-app-trust-token',
  },
});

Client

new AuthClient({
  baseUrl: 'https://api.example.com',
  trustDeviceHeaderName: 'x-app-trust-token',
});

CORS

Make sure preflight allows the new name:

app.enableCors({
  allowedHeaders: [
    'Content-Type',
    'Authorization',
    'x-access-token-type',
    'x-app-trust-token',          // <-- new name
  ],
});

If you forget the CORS step, the browser silently strips the header and trusted-device login appears to never work.

Why rename

Brand consistency — your other custom headers might already use x-app-*.
Conflict avoidance — if some upstream proxy filters by name pattern.
Versioning — bumping the name forces all clients to rotate trust tokens (everyone re-MFAs once).

Existing users have the old header value persisted in their storage. If the server changes the expected name before they get a new token, they'll silently fall off the trusted-device list (one extra MFA prompt per user). Acceptable, but plan for it.

Custom trusted-device header name

Server

Client

CORS

Why rename

Don't rename mid-deploy

On this page

Custom trusted-device header name

Server

Client

CORS

Why rename

Don't rename mid-deploy

Related

On this page