Skip to content

Server SDK

authenticateRequest

Verifies the JWT session token from incoming requests. This is the main function you’ll use to authenticate users in your server functions.

import { authenticateRequest } from "@/embedded-sdk/server";


const authConfig = {
  jwksUrl: "", // Not used - JWKS is fetched from Gateway
  issuer: env.GATEWAY_URL,
  audience: "your-app-id",
};


export const myServerFunction = createServerFn({ method: "GET" })
  .middleware([useSessionTokenClientMiddleware])
  .handler(async () => {
    const session = await authenticateRequest(authConfig);


    if (!session) {
      throw new Error("Unauthorized");
    }


    const userId = session.sub;
    // ... your logic
  });

Parameters

interface AuthConfig {
  jwksUrl: string; // Currently unused - JWKS fetched from Gateway
  issuer: string; // The Gateway URL (validates token issuer)
  audience: string; // Your app ID (validates token audience)
  debug?: boolean; // Enable verbose logging
}

Return Value

Returns the decoded JWT payload or null if authentication fails:

interface SessionTokenPayload {
  sub: string; // User ID
  iss: string; // Issuer (Gateway URL)
  aud: string; // Audience (your app ID)
  exp: number; // Expiration timestamp
  iat: number; // Issued at timestamp
  appId?: string; // App ID (if included)
  permissions?: string[]; // User permissions (if included)
  email?: string; // User email (if included)
}

How it works

  1. Extracts the Authorization: Bearer <token> header from the request
  2. Fetches the Gateway’s JWKS (JSON Web Key Set) to get the public key
  3. Verifies the JWT signature, issuer, and audience
  4. Returns the decoded payload if valid, null if invalid