Backend JSRuntime GuidesNetlify Functions
Auth and Header Bridging
Handle auth headers and guard checks in Netlify handlers and helper layers.
This page covers JWT/session auth propagation and API key/OAuth protected machine-token checks in Netlify function boundaries.
Complete auth utility module
import { authenticateRequest, authFromHeaders } from '@wacht/backend';
export async function requireAuth(request: Request, publishableKey: string) {
const { auth, headers } = await authenticateRequest(request, { publishableKey });
await auth.protect();
return { auth, headers };
}
export function readForwardedAuth(headers: Headers) {
return authFromHeaders(headers);
}API key/OAuth protected utility module
import { gateway } from '@wacht/backend';
export async function checkMachineAccess(
apiKey: string,
resource: string,
method: string,
requiredPermissions: string[],
) {
return gateway.checkPrincipalAuthz(
{
principalType: 'api_key',
principalValue: apiKey,
resource,
method,
requiredPermissions,
},
);
}Header bridge pattern
If your app wraps Netlify handler logic in helper services, forward auth state via x-wacht-auth to avoid reparsing downstream.
import { authenticateRequest, authFromHeaders } from '@wacht/backend';
export async function authenticateIncoming(request: Request, publishableKey: string) {
const { auth, headers } = await authenticateRequest(request, { publishableKey });
await auth.protect();
return { auth, authHeaders: headers };
}
export function loadAuthFromForwardedHeaders(headers: Headers) {
return authFromHeaders(headers);
}Function-to-function calls
- Forward
Authorizationwhen downstream handler re-verifies directly. - Or forward
x-wacht-authwhen you trust upstream verification within the same boundary. - Prefer re-verification across trust boundaries.
- For machine routes, pass only machine tokens to API key/OAuth protected checks and avoid mixing them with session auth code paths.
gatewayUrlis optional; custom host overrides are available on Enterprise plans.