Token Management

Always use httpOnly: true to prevent XSS token theft
Use secure: true in production for HTTPS-only
sameSite: 'lax' provides good CSRF protection while allowing normal navigation
Set appropriate maxAge based on your security requirements

Accessing Tokens#

In Route Handlers#

TypeScript

With API Client#

The API client handles token retrieval automatically:

TypeScript

Token Expiration Handling#

Proxy Level#

The proxy handles expiration automatically:

Detects expired token from validation response
Attempts refresh
If refresh fails, clears cookies and redirects to login (for protected routes)

Client Level#

The AuthProvider keeps client state in sync:

TypeScript

Debugging#

Enable audit logging to track token operations:

TypeScript

This helps identify:

Frequent refresh attempts (might indicate short token TTL)
Failed validations (might indicate backend issues)
Unauthorized access attempts

Token Management

next-api-layer handles JWT token management automatically, including validation, refresh, and caching.

Overview#

The library manages three key token operations:

Validation: Checking if a token is valid
Refresh: Automatically refreshing expired tokens
Caching: Reducing backend calls with smart caching

Token Validation#

Every request triggers token validation through your backend's validate endpoint:

TypeScript

Expected Response Format#

Your backend's /auth/me endpoint should return:

JSON

Custom Response Parsing#

If your backend uses a different format, use responseMappers:

TypeScript

Automatic Token Refresh#

When a token is invalid or expired, the library automatically attempts to refresh it:

TypeScript

Refresh Flow#

Token validation fails (expired/invalid)
Library calls /auth/refresh with current token
If successful, updates cookie with new token
Sets x-refreshed-token header for the request
Continues with the original request

Expected Refresh Response#

JSON

Custom Refresh Parsing#

TypeScript

Token Caching#

To minimize backend calls, validated tokens are cached:

TypeScript

Cache Behavior#

Valid tokens are cached for 2 seconds by default
Cache is per-token (different users have separate entries)
Cache automatically cleans up expired entries
Pending validation requests are deduplicated

Deduplication#

If multiple simultaneous requests come in with the same token:

This prevents thundering herd problems during high traffic.

Token Types#

The library supports different token types:

TypeScript

Type Checking#

TypeScript

Guest vs User Tokens#

Feature	Guest Token	User Token
Created automatically	Yes	No (login required)
Cookie name	`guestToken`	`userToken`
Typical TTL	1 hour	7 days
Can access protected routes	No	Yes

Control how tokens are stored:

TypeScript

Security Best Practices#

Always use httpOnly: true to prevent XSS token theft
Use secure: true in production for HTTPS-only
sameSite: 'lax' provides good CSRF protection while allowing normal navigation
Set appropriate maxAge based on your security requirements

Accessing Tokens#

In Route Handlers#

TypeScript

With API Client#

The API client handles token retrieval automatically:

TypeScript

Token Expiration Handling#

Proxy Level#

The proxy handles expiration automatically:

Detects expired token from validation response
Attempts refresh
If refresh fails, clears cookies and redirects to login (for protected routes)

Client Level#

The AuthProvider keeps client state in sync:

TypeScript

Debugging#

Enable audit logging to track token operations:

TypeScript

This helps identify:

Frequent refresh attempts (might indicate short token TTL)
Failed validations (might indicate backend issues)
Unauthorized access attempts