Getting a user's access token from a request

When your app frontend sends a request to your server, you should include the current user's access token in the Authorization header of the request. This allows your backend to securely identify the requesting user and gate API routes based on their authentication status, their user DID, and more.

INFO

This guide assumes you have already configured your frontend to including users' access tokens in requests to your server. If this is not the case, please begin with the frontend authorization guide.

When your server receives a request, the location of the user's access token depends on whether your app uses local storage (the default) or cookies to manage user sessions:

• If using local storage to store a user's session, the access token will be passed in the Authorization header of the request.
• If using cookies to store a user's session, the access token will be passed in the privy-token cookie on the request.

For example, in NextJS, you might extract the auth token from a NextApiRequest as follows:

const accessToken = req.headers.authorization.replace('Bearer ', '');