How It Works

Understanding the architecture behind next-api-layer helps you make the most of its features and troubleshoot effectively.

Architecture Overview#

The library consists of two main components working together:

Layer	Component	Responsibilities
Proxy	`createAuthProxy`	Token validation, auto refresh, guest tokens, CSRF, rate limiting
API Client	`createApiClient`	XSS sanitization, i18n injection, method spoofing, auth handling

Request Flow:

Request Flow#

When a request comes into your Next.js application, here's what happens:

1. Proxy Intercepts#

The createAuthProxy proxy intercepts every request:

TypeScript

2. Token Validation#

The proxy checks for authentication tokens in cookies:

User Token Check: First, it looks for the user token cookie
Guest Token Fallback: If no user token, checks for guest token
Validation: Validates the found token against your backend's /auth/me endpoint
Caching: Valid tokens are cached to reduce backend calls

3. Auto Refresh#

If a token is expired but a refresh is possible:

Calls your backend's /auth/refresh endpoint
Updates the cookie with the new token
Sets x-refreshed-token header for downstream use
Continues the request with the new token

4. Route Protection#

Based on your access configuration:

TypeScript

Protected Routes: Require authentication, redirect to /login if not authenticated
Auth Routes: Login/register pages, redirect away if already authenticated
Public Routes: Accessible by anyone

5. API Client Processing#

When your route handlers use the API client:

TypeScript

The client:

Retrieves the token (from refreshed header or cookies)
Makes the request to your backend
Sanitizes the response (XSS protection)
Returns a Response object

Security Pipeline#

Every request passes through multiple security layers:

Rate Limiting#

TypeScript

Protects against DoS attacks by limiting requests per IP.

CSRF Protection#

TypeScript

Uses modern Fetch Metadata headers combined with signed double-submit cookies.

XSS Sanitization#

TypeScript

All API responses are sanitized to prevent XSS attacks.

Audit Logging#

TypeScript

Track authentication events for security monitoring.

Token Cascade#

Tokens are retrieved in this priority order:

x-refreshed-token header: If proxy refreshed the token
User token cookie: For authenticated users
Guest token cookie: For anonymous sessions

TypeScript

Composability#

You can extend the proxy behavior with hooks:

TypeScript

Server Components Support#

For Server Components, use getServerUser:

TypeScript

This reads the x-auth-user header set by the proxy, avoiding extra backend calls.

How It Works

Understanding the architecture behind next-api-layer helps you make the most of its features and troubleshoot effectively.

Architecture Overview#

The library consists of two main components working together:

Layer	Component	Responsibilities
Proxy	`createAuthProxy`	Token validation, auto refresh, guest tokens, CSRF, rate limiting
API Client	`createApiClient`	XSS sanitization, i18n injection, method spoofing, auth handling

Request Flow:

Request Flow#

When a request comes into your Next.js application, here's what happens:

1. Proxy Intercepts#

The createAuthProxy proxy intercepts every request:

TypeScript

2. Token Validation#

The proxy checks for authentication tokens in cookies:

User Token Check: First, it looks for the user token cookie
Guest Token Fallback: If no user token, checks for guest token
Validation: Validates the found token against your backend's /auth/me endpoint
Caching: Valid tokens are cached to reduce backend calls

3. Auto Refresh#

If a token is expired but a refresh is possible:

Calls your backend's /auth/refresh endpoint
Updates the cookie with the new token
Sets x-refreshed-token header for downstream use
Continues the request with the new token

4. Route Protection#

Based on your access configuration:

TypeScript

Protected Routes: Require authentication, redirect to /login if not authenticated
Auth Routes: Login/register pages, redirect away if already authenticated
Public Routes: Accessible by anyone