TypeScript • npm 0.2.0+ • Next.js / Remix / SvelteKit
Web (SSR) SDK
Companion to the Web SDK for server-rendered apps. HttpOnly cookie sessions + middleware-gated routes.
What's included
- `sendoraMiddleware` for Next.js / Remix / SvelteKit — protect routes by path glob.
- `createSendoraServerClient(cookies())` reads the session in server components without leaking tokens to the client bundle.
- Refresh-token rotation (chain detection + reuse alert) — Stripe / Clerk parity.
- `./middleware` + `./server` + `./client` subpath exports for clean separation.
Install
npm install @sendoracloud/sdk-web-ssr @sendoracloud/sdk-webPeers
@sendoracloud/sdk-webOptional peer — required for the `./client` re-export surface.
Quickstart
// middleware.ts
import { sendoraMiddleware } from "@sendoracloud/sdk-web-ssr/middleware";
export default sendoraMiddleware({
publicKey: process.env.NEXT_PUBLIC_SENDORA_KEY!,
protected: ["/dashboard"],
loginPath: "/login",
});
// app/page.tsx (server component)
import { cookies } from "next/headers";
import { createSendoraServerClient } from "@sendoracloud/sdk-web-ssr/server";
const sendora = createSendoraServerClient(cookies(), {
publicKey: process.env.NEXT_PUBLIC_SENDORA_KEY!,
});
const session = sendora.getSession();
// "use client" component
import { SendoraCloud } from "@sendoracloud/sdk-web-ssr/client";
const s = SendoraCloud.init({ apiKey: process.env.NEXT_PUBLIC_SENDORA_KEY! });
s.track("page.viewed");Security posture
- HttpOnly + SameSite=Lax cookies for session storage — no token in `localStorage` for XSS to grab.
- Refresh-token chain detection — backend revokes the chain on reuse + emits an alert.
- Double-submit CSRF baked into mutating endpoints.