For the complete documentation index, see llms.txt. Prefer markdown by appending .md to documentation URLs or sending Accept: text/markdown.

Storage

Use extension storage for preferences, not for server secrets or as a replacement for httpOnly session cookies.

TurboStarter uses WXT storage for persistent preferences (for example theme). It syncs across popup, background, content scripts, and pages when the storage permission is available.

What belongs in extension storage

Good fitBad fit
Theme mode / colorBETTER_AUTH_SECRET or any server secret
UI flags and dismissible bannersLong-lived session tokens when cookie sharing works
Non-sensitive draftsRaw webhook payloads or PII you do not need offline
wxt.config.ts
export default defineConfig({
  manifest: {
    permissions: ["storage"],
  },
});

Only add storage when you actually persist data. See Structure → Storage.

Session data

Prefer the shared httpOnly cookie session from the web app over copying tokens into chrome.storage.

If you cache a display name or avatar for faster popup paint, treat it as untrusted UX cache - refresh from the API when security-sensitive actions run.

Content scripts and storage

Content scripts can use storage APIs, but anything they write may sit next to hostile page contexts. Do not store secrets there. Prefer sending data to the background worker or your API.

Practical rules

  • Encrypting a secret in extension storage is still weaker than keeping it on the server
  • Clear storage on sign-out when it holds account-related cache
  • Do not log storage dumps to analytics
  • Document the storage permission in your store privacy text

How is this guide?

Last updated on

On this page

Ship your startup everywhere. In minutes.Try TurboStarter