Skip to main content

CSRF token

Obtain a CSRF token for use with mutation endpoints.
All POST, PATCH, and DELETE requests must include a valid CSRF token in the x-csrf-token header.

Get CSRF token

GET /api/auth/csrf-token
Authentication: Required Response 200 OK: 
{
  "csrfToken": "a1b2c3d4e5f6..."
}
The token is valid for the duration of the user’s session. Store it and include it in the x-csrf-token header of all subsequent mutation requests.

Usage example

import { csrfFetch } from '@/lib/csrf'

// csrfFetch automatically handles token acquisition and inclusion
const response = await csrfFetch('/api/passwords', {
  method: 'POST',
  body: JSON.stringify({
    service_name: 'GitHub',
    username: 'user@example.com',
    password: 'encrypted-password-data',
    url: 'https://github.com/login',
  }),
})

Session management

PassAgent uses Supabase Auth for session management. Sessions are maintained via HTTP-only cookies (web) or Bearer tokens (extensions, iOS).

Session refresh

Sessions are automatically refreshed by the Supabase client middleware. The Next.js middleware intercepts requests and refreshes expired tokens transparently.

Logout

POST /api/auth/logout
Authentication: Required Destroys the current session and clears authentication cookies. Response 200 OK: 
{
  "success": true
}