When a user logs in to your app and becomes authenticated, Privy issues the user an app access token. This token is signed by Privy and cannot be spoofed.When your frontend makes a request to your backend, you should include the current user’s access token in the request. This allows your server to determine whether the requesting user is truly authenticated or not.
Privy access tokens are JSON Web Tokens (JWT), signed with the ES256 algorithm. These JWTs include certain information about the user in their claims, namely:
To include the current user’s access token in requests from your frontend to your backend, you’ll first need to retrieve it, then send it appropriately.
If your app is configured to use HTTP-only cookies (instead of the default local storage), the
access token will automatically be included in the cookies for requests to the same domain. In
this case, you don’t need to manually include the token in the request headers.
When your server receives a request, the location of the user’s access token depends on whether your app uses local storage (the default) or cookies to manage user sessions.
Show local storage setup
If you’re using local storage for session management, the access token will be passed in the Authorization header of the request with the Bearer prefix. You can extract it like this:
NodeJS
Go
Python
Report incorrect code
Copy
Ask AI
// Example for Express.jsconst accessToken = req.headers.authorization?.replace('Bearer ', '');// Example for Next.js API routeconst accessToken = req.headers.authorization?.replace('Bearer ', '');// Example for Next.js App Routerconst accessToken = headers().get('authorization')?.replace('Bearer ', '');
Report incorrect code
Copy
Ask AI
// Example for GoaccessToken := r.Header.Get("Authorization")accessToken = strings.Replace(accessToken, "Bearer ", "", 1)
Report incorrect code
Copy
Ask AI
# Example for PythonaccessToken = request.headers.get("Authorization")accessToken = accessToken.replace("Bearer ", "")
Show cookie setup
If you’re using HTTP-only cookies for session management, the access token will be automatically included in the privy-token cookie. You can extract it like this:
NodeJS
Go
Python
Report incorrect code
Copy
Ask AI
// Example for Express.jsconst accessToken = req.cookies['privy-token'];// Example for Next.js API routeconst accessToken = req.cookies['privy-token'];// Example for Next.js App Routerconst cookieStore = cookies();const accessToken = cookieStore.get('privy-token')?.value;
Report incorrect code
Copy
Ask AI
// Example for GoaccessToken := r.Cookies["privy-token"]
Report incorrect code
Copy
Ask AI
# Example for PythonaccessToken = request.cookies.get("privy-token")
Once you’ve obtained the user’s access token from a request, you should verify the token against Privy’s verification key for your app to confirm that the token was issued by Privy and the user referenced by the DID in the token is truly authenticated.The access token is a standard ES256JWT and the verification key is a standard Ed25519 public key. You can verify the access token against the public key using the @privy-io/node or @privy-io/server-auth libraries or using a third-party library for managing tokens.
A user’s access token might expire while they are actively using your app. For example, if a user does not take action on an application for an extended period of time, the access token can become expired.
Handle invalid token errors: In these scenarios, if a method returns with an 'invalid auth token' error, we recommend calling the getAccessToken method with a time-based backoff until the user’s access token is refreshed with an updated expiration time.
Return errors from backend: If you receive an expired access token in your backend, return an error to your client, and as above, trigger getAccessToken in your client.
Handle failed refreshes: If the user’s access token cannot be refreshed, the user will be logged out.
