Product Docs Pricing Changelog
Start free Sign in
Docs / Frameworks / Next.js

Next.js (App Router)

Split into two files. The server one imports 'server-only' so a stray import from a client component fails the build, not in prod. Assumes you've set FLARELINK_AUTH_URL and FLARELINK_SERVICE_KEY per Install & configure.

// lib/flarelink.client.ts — usable from "use client" components import { createFlarelink } from "@flarelink/client" export const flarelink = createFlarelink({ url: process.env.NEXT_PUBLIC_FLARELINK_AUTH_URL!, })
// lib/flarelink.server.ts — server actions, route handlers, RSC import "server-only" import { cookies } from "next/headers" import { createFlarelink } from "@flarelink/client" export const flarelink = createFlarelink({ url: process.env.NEXT_PUBLIC_FLARELINK_AUTH_URL!, serviceKey: process.env.FLARELINK_SERVICE_KEY!, cookies: () => cookies().toString(), })
// app/login/page.tsx "use client" import { flarelink } from "@/lib/flarelink.client" export default function LoginPage() { return <button onClick={() => flarelink.auth.signInWithSocial("google")}>Sign in</button> }

Protect a route

In a Server Component or route handler, resolve the user with the server client (cookies are forwarded) and redirect when there's no session.

// app/dashboard/page.tsx — Server Component import { redirect } from "next/navigation" import { flarelink } from "@/lib/flarelink.server" export default async function Dashboard() { const me = await flarelink.auth.getMe() if (!me) redirect("/login") const { rows } = await flarelink .from("posts") .where({ author_id: me.id }) // scope every query to the signed-in user .orderBy("created_at", "desc") return <PostList posts={rows} /> }
// app/api/posts/route.ts — route handler import { flarelink } from "@/lib/flarelink.server" export async function GET() { const me = await flarelink.auth.getMe() if (!me) return new Response("Unauthorized", { status: 401 }) const { rows } = await flarelink.from("posts").where({ author_id: me.id }) return Response.json({ posts: rows }) }
Always derive ownership from me.id server-side and add it to every query's where — never trust an id sent from the client. The service key has full DB access; your route handler is the authorization boundary. (Next.js middleware can't resolve the user with the SDK — do the check in the handler / page, not middleware.)
# .env.local NEXT_PUBLIC_FLARELINK_AUTH_URL=https://myapp-auth.your-subdomain.workers.dev FLARELINK_SERVICE_KEY=flarelink_sk_…
Something unclear or missing? hello@flarelink.dev llms-full.txt ↗