Proxy (Route Protection)
Create a proxy.ts file at the root of your Next.js project to protect routes and automatically inject auth headers.
What the proxy does
For every incoming request:
- Public paths (default:
/api/auth/*) — passed through immediately, no auth check - Protected paths — if the session cookie is missing or invalid, redirects to
/api/auth/login?returnTo=<path> - Authenticated requests — injects
Authorization: Bearer <accessToken>into request headers - Expired tokens — automatically refreshes the access token using the refresh token before continuing
Options
| Option | Default | Description |
|---|---|---|
protectedPaths | [] | Paths requiring auth. Supports * suffix (e.g. "/dashboard/*") |
publicPaths | ["/api/auth/*"] | Paths always allowed through (takes precedence over protectedPaths) |
loginPath | "/api/auth/login" | Where unauthenticated users are redirected |
Using the injected header in API routes
Because the proxy sets Authorization: Bearer <token> on every authenticated request, your API routes can read it directly:
Last updated on