The AuthKit Remix Library renders sensitive auth data in HTML
Before 0.15.0, @workos-inc/authkit-remix returned sensitive authentication artifacts from the authkitLoader, specifically sealedSession and accessToken. Because these values were returned from the loader, they were embedded into the server-rendered HTML and became readable by any script with access to the page’s DOM (e.g., in the presence of XSS or a malicious browser extension). Impact: Exposure of these secrets can lead to session hijacking and unauthorized API access. Fix: Version 0.15.0 changes …