Server Utilities
The Auth SDK provides server-side helper functions for use in Server Components, Server Actions, and Route Handlers.
requireAuth
Get the authenticated user or redirect to login. Use this when the page requires authentication.
1
2
3
4
5
6
7
import { requireAuth } from "@pylo/auth-nextjs";
export default async function DashboardPage() {
const user = await requireAuth()
// User is guaranteed to exist here
return <p>Welcome, {user.email}</p>
}Redirects to /auth/login by default. Customize with the redirectTo option:
1
const user = await requireAuth({ redirectTo: '/sign-in' })getUser
Get the current user, or null if not authenticated.
1
2
3
4
5
6
7
8
import { getUser } from "@pylo/auth-nextjs";
export default async function ProfilePage() {
const user = await getUser()
if (!user) { return <p>Not logged in</p> }
return <p>Email: {user.email}</p> }loggedIn
Check if the current request is authenticated. Returns a boolean.
1
2
3
4
5
6
7
8
import { loggedIn } from "@pylo/auth-nextjs";
export default async function Page() {
if (await loggedIn()) {
return <AuthenticatedContent />
}
return <PublicContent />
}getAuthToken / getRefreshToken
Access the raw tokens from cookies. Useful for custom API calls or debugging.
1
2
3
4
import { getAuthToken, getRefreshToken } from "@pylo/auth-nextjs";
const authToken = await getAuthToken() // string | undefined const refreshToken = await
getRefreshToken() // string | undefinedrefreshTokens
Manually refresh the auth and refresh tokens. Usually not needed since middleware handles this automatically.
1
2
3
4
5
6
import { refreshTokens } from "@pylo/auth-nextjs";
const result = await refreshTokens()
if (result.success) { // Tokens have been refreshed and cookies updated
console.log(result.authToken) } else { console.error(result.error?.message) }Cookie Configuration
The Auth SDK stores tokens in HTTP-only cookies. You can customize cookie behavior by passing
cookieOptions to createPyloProxy() or pyloAuth():
1
2
3
4
5
6
7
8
9
10
11
12
13
import { createPyloProxy } from "@pylo/auth-nextjs";
export const proxy = createPyloProxy({
publicPaths: ["/auth"],
cookieOptions: {
secure: true, // HTTPS only (default: true in production)
sameSite: "lax", // CSRF protection (default: 'lax')
domain: ".example.com", // Cross-subdomain sharing
path: "/", // Cookie path (default: '/')
authMaxAge: 3600, // Auth token lifetime in seconds (default: 1 hour)
refreshMaxAge: 604800, // Refresh token lifetime in seconds (default: 7 days)
},
});Cookie Options Reference
| Option | Type | Default | Description |
|---|---|---|---|
secure | boolean | true in production | Only send cookies over HTTPS |
sameSite | "strict" | "lax" | "none" | "lax" | CSRF protection setting |
domain | string | "" | Cookie domain for cross-subdomain sharing |
path | string | "/" | Cookie path |
authMaxAge | number | 3600 (1 hour) | Auth token cookie lifetime in seconds |
refreshMaxAge | number | 604800 (7 days) | Refresh token cookie lifetime in seconds |
Cookie Names
The SDK uses the following cookie names:
| Cookie | Purpose |
|---|---|
pylo_auth_token | JWT auth token |
pylo_refresh_token | Refresh token |
Function Reference
| Function | Return Type | Description |
|---|---|---|
requireAuth() | Promise<PyloUser> | Get user or redirect to login |
getUser() | Promise<PyloUser | null> | Get user or null |
loggedIn() | Promise<boolean> | Check if authenticated |
getAuthToken() | Promise<string | undefined> | Get auth token from cookies |
getRefreshToken() | Promise<string | undefined> | Get refresh token from cookies |
refreshTokens() | Promise<AuthResult> | Manually refresh tokens |