For the complete documentation index, see llms.txt. Prefer markdown by appending.mdto documentation URLs or sendingAccept: text/markdown.
Storage
Use extension storage for preferences, not for server secrets or as a replacement for httpOnly session cookies.
TurboStarter uses WXT storage for persistent preferences (for example theme). It syncs across popup, background, content scripts, and pages when the storage permission is available.
What belongs in extension storage
| Good fit | Bad fit |
|---|---|
| Theme mode / color | BETTER_AUTH_SECRET or any server secret |
| UI flags and dismissible banners | Long-lived session tokens when cookie sharing works |
| Non-sensitive drafts | Raw webhook payloads or PII you do not need offline |
export default defineConfig({
manifest: {
permissions: ["storage"],
},
});Only add storage when you actually persist data. See Structure → Storage.
Session data
Prefer the shared httpOnly cookie session from the web app over copying tokens into chrome.storage.
If you cache a display name or avatar for faster popup paint, treat it as untrusted UX cache - refresh from the API when security-sensitive actions run.
Content scripts and storage
Content scripts can use storage APIs, but anything they write may sit next to hostile page contexts. Do not store secrets there. Prefer sending data to the background worker or your API.
Practical rules
- Encrypting a secret in extension storage is still weaker than keeping it on the server
- Clear storage on sign-out when it holds account-related cache
- Do not log storage dumps to analytics
- Document the
storagepermission in your store privacy text
How is this guide?
Last updated on