npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@sendoracloud/sdk-web-ssr

v0.2.0

Published

Sendora Cloud server-side Web SDK — HttpOnly-cookie session helpers, Next.js / Remix / SvelteKit middleware + RSC clients. Pairs with @sendoracloud/sdk-web (peer dep) for the browser-side surface.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

sendoracloudwebsendoracloudweb

Keywords

sendoraauthssrnext.jsmiddlewarehttponly-cookiesession

Readme

@sendoracloud/sdk-web-ssr

Server-side companion to @sendoracloud/sdk-web.

For Next.js (App Router), Remix, SvelteKit, SolidStart, or any framework with a server runtime where Sendora sessions live in HttpOnly cookies. For pure SPA / browser-only apps, use @sendoracloud/sdk-web instead.

Why

Storing session tokens in localStorage (the default for @sendoracloud/sdk-web) is fine for SPAs but exposes them to any XSS payload that runs on your origin. The industry-standard secure posture for framework apps is:

  • Tokens in HttpOnly + Secure + SameSite cookies — JS can't read them.
  • Refresh-token rotation with reuse detection — a stolen refresh cookie is single-use and triggers a family-wide revoke on replay.
  • CSRF double-submit for any cookie-authenticated mutation.
  • Edge middleware that gates protected routes without an extra round trip per request.

This package wraps all four behind a small surface so your middleware.ts and RSC code stay clean.

Install

npm install @sendoracloud/sdk-web-ssr @sendoracloud/sdk-web

@sendoracloud/sdk-web is an optional peer dependency, only required if you import the ./client subpath (browser-side surface — analytics, feature flags, surveys, in-app messaging, chatbot, auth-from-the-browser). Pure middleware / server / token decode usage doesn't need it.

Targets Node 18+, Bun, Deno, and the Next.js Edge runtime. Zero non-peer runtime dependencies.

Subpath exports

| Subpath | Use it from | What it has | |---|---|---| | ./middleware | middleware.ts (edge runtime) | sendoraMiddleware() route gate | | ./server | RSC, route handlers, server actions | createSendoraServerClient() | | ./client | client components ("use client") | re-export of @sendoracloud/sdk-web | | . | anywhere | low-level token decode + cookie name constants |

The ./client subpath is a pure re-export, not a bundle — @sendoracloud/sdk-web is resolved as a peer dep so version compatibility is explicit and tree-shaking deduplicates it.

Next.js — middleware

// middleware.ts
import { sendoraMiddleware } from "@sendoracloud/sdk-web-ssr/middleware";

export default sendoraMiddleware({
  publicKey: process.env.NEXT_PUBLIC_SENDORA_KEY!,
  protected: ["/dashboard", "/account"],
  publicPaths: ["/login", "/api/public"],
  loginPath: "/login",
});

export const config = {
  matcher: "/((?!_next/static|_next/image|favicon.ico).*)",
};

Per request: pass-through if cookie is valid, silent rotation if access expired but refresh present, redirect to /login?from=… otherwise.

Next.js — client components

"use client";
import { SendoraCloud } from "@sendoracloud/sdk-web-ssr/client";

const sendora = SendoraCloud.init({ apiKey: process.env.NEXT_PUBLIC_SENDORA_KEY! });

export function TrackButton() {
  return <button onClick={() => sendora.track("button.clicked")}>Click</button>;
}

Next.js — server components + route handlers

import { cookies } from "next/headers";
import { createSendoraServerClient } from "@sendoracloud/sdk-web-ssr/server";

export default async function Dashboard() {
  const sendora = createSendoraServerClient(cookies(), {
    publicKey: process.env.NEXT_PUBLIC_SENDORA_KEY!,
  });
  const session = sendora.getSession();
  if (!session) return <p>Not signed in.</p>;
  return <p>Hello {session.email}</p>;
}

Server actions — sign in / sign out

"use server";
import { cookies } from "next/headers";
import { createSendoraServerClient } from "@sendoracloud/sdk-web-ssr/server";

export async function signOut() {
  const sendora = createSendoraServerClient(cookies(), {
    publicKey: process.env.NEXT_PUBLIC_SENDORA_KEY!,
  });
  await sendora.signOut();
}

Sign-in (email + password, magic link, social, etc.) calls Sendora's /auth-service/login-family endpoints from a server action with credentials: "include". The backend sets the cookies on the response — the framework forwards them automatically.

Token verification model

getSession() decodes the JWT and checks expiry. It does not verify the RS256 signature locally — that would require fetching JWKS on every render and defeat the cookie-cache speed. The Sendora backend re-verifies the signature on every protected API call, which is the authoritative gate. The cookie's HttpOnly + Secure + SameSite attributes guarantee it can only have come from a real backend response.

If you need strict signature verification in middleware (financial dashboards, compliance tooling), use the lower-level decodeAccessToken + your own JWKS fetcher.

License

Apache-2.0