Hi, how do I validate an existing session token?

user logins -> i create session token on server side -> i create cookies

Then i'm using the following code to create an appwrite session based on the session token & protect my frontend routes.

But now I want to protect my api routes, what is the best approach? Since the token can be changed on the client side, how do I verify the integrity of it ?

export async function createAppwriteSessionClient() { const client = new Client() .setEndpoint(process.env.APPWRITE_ENDPOINT) .setProject(process.env.APPWRITE_PROJECT)

const session = cookies().get("session"); if (!session || !session.value) { throw new Error("No session"); }

client.setSession(session.value);

return { get account() { return new Account(client); }, }; }

TL;DR

To validate an existing session token in Appwrite, it is recommended to check the session token's integrity on the server side. You can create a function like `createAppwriteSessionClient()` to set up the client with the session token and protect both your frontend and API routes. This approach ensures that tampered session tokens are rejected. When protecting API routes, always validate the session token on the server side to maintain security.

Should I call createAppwriteSessionClient() everytime before making any requests to appwrite? assuming client.setSession(session.value) will reject tampered session tokens?

Reply to this thread by joining our Discord

Reply on Discord

Need support?

Join our Discord

Get community support by joining our Discord server.

Join Discord

Get premium support

Join Appwrite Pro and get email support from our team.

Learn more

Recommended threads

Need support?

Join our Discord

Get premium support