Are you an LLM? Read llms.txt for a summary of the docs, or llms-full.txt for the full context.
Skip to content

User session and authorization

Get a user's session token from a request

When your app frontend sends a request to your server, include the current user's session token in the Authorization header. This allows your backend to securely identify the requesting user and gate API routes based on their authentication status, user ID, and more.

When your server receives a request, the location of the user's session token depends on whether your app uses local storage (the default) or cookies to manage user sessions:

  • If using local storage to store a user's session, the session token is passed in the Authorization header of the request.
  • If using cookies to store a user's session, the session token is passed in the openfort.session_token cookie on the request.

For example, in NextJS, you might extract the session token from a NextApiRequest as follows:

Verify the user's session token

Once you've obtained the user's session token from a request, verify the token against Openfort to confirm that Openfort issued it and the user referenced by the token is authenticated.

Session tokens are signed using HMAC-SHA-256 and verified against Openfort's servers. Use the official Openfort Node SDK to verify tokens:

Node.js
import Openfort from "@openfort/openfort-node";
const openfort = new Openfort(process.env.OPENFORT_SK, {
  publishableKey: process.env.OPENFORT_PUBLISHABLE_KEY,
});
 
const session = await openfort.iam.getSession({ accessToken: "USER_SESSION_TOKEN" });
console.log("User ID:", session.user.id);
console.log("User Email:", session.user.email);
console.log("Session expires:", session.session.expiresAt);

The getSession method validates the token signature and checks that the session hasn't expired (sessions last 30 days by default with automatic refresh on activity).

Copyright © 2023-present Alamas Labs, Inc