Documentation Index
Fetch the complete documentation index at: https://stackauth-e0affa27-apps-support.mintlify.app/llms.txt
Use this file to discover all available pages before exploring further.
Setting up with AI? Use this single prompt:
Choose your tech stack
Choose all that apply.
Select a tool to show setup instructions.
- Unified AI Prompt
- Next.js
- React
- JS/TS
- Tanstack Start
- Node.js
- Bun
- Convex
- Supabase
- CLI
Setting up with AI? Use this single prompt in your coding agent to set up Stack Auth for your selected stack.
Next.js SDK Setup Instructions
Follow these instructions in order to set up and get started with the Stack Auth SDK for Next.js .Install dependencies
First, install the
@stackframe/stack npm package with your preferred package manager:npm i @stackframe/stack
# or: pnpm i @stackframe/stack
# or: yarn add @stackframe/stack
# or: bun add @stackframe/stack
Initializing the Stack App
Next, let us create the Stack App object for your project. This is the most important object in a Stack Auth project.In a frontend where you cannot keep a secret key safe, you would use the In a backend where you can keep a secret key safe, you can use the
StackClientApp constructor:src/stack/client.ts
import { StackClientApp } from "@stackframe/stack";
export const stackClientApp = new StackClientApp({
tokenStore: "cookie", // "nextjs-cookie" for Next.js, "cookie" for other web frontends, null for backend environments
});
StackServerApp, which provides access to more sensitive APIs compared to StackClientApp:src/stack/server.ts
import { StackServerApp } from "@stackframe/stack";
import { stackClientApp } from "./client";
export const stackServerApp = new StackServerApp({
inheritsFrom: stackClientApp,
});
Setting up the project
It’s now time to create a development setup for Stack Auth.You can either run Stack Auth locally, or connect to a project hosted in the cloud.
Option 1: Running Stack Auth locally (recommended)
Option 1: Running Stack Auth locally (recommended)
First, create a To run your application with Stack Auth, you then need to start the emulator and set environment variables expected by your application. The
stack.config.ts configuration file in the root directory of the workspace (or anywhere else):stack.config.ts
import type { StackConfig } from "@stackframe/stack";
// default: show-onboarding, which shows the onboarding flow for this project when Stack Auth starts
export const config: StackConfig = "show-onboarding";
emulator run CLI command does both of these, so you can simply wrap your existing dev script in your package.json:package.json
{
// ...
"scripts": {
// ...
"dev": "npx @stackframe/stack-cli emulator run --config-file ./stack.config.ts -- <your-existing-dev-script>"
}
}
Option 2: Connecting a cloud project
Option 2: Connecting a cloud project
If you’d rather run your development environment on our infrastructure, or you already have an existing product, you can also connect a cloud project.This process is slightly different depending on whether you’re setting up a frontend or a backend (whether your app can keep a secret key safe or not).Alternatively, you can also just set the project ID in the They’ll automatically be picked up by the
Frontend
Go to your project’s dashboard on app.stack-auth.com and get the project ID. You can find it in the URL after the/projects/ part. Copy-paste it into your .env.local file (or wherever your environment variables are stored):.env.local
STACK_PROJECT_ID=<your-project-id> # if available, prefix with your framework's convention for client-exposed variables (e.g. NEXT_PUBLIC_, VITE_, etc.)
stack/client.ts file:src/stack/client.ts
export const stackClientApp = new StackClientApp({
// ...
projectId: "your-project-id",
});
Backend (or both frontend and backend)
First, navigate to the Project Keys page in the Stack Auth dashboard and generate a new set of keys.Then, copy-paste them into your.env.local file (or wherever your environment variables are stored):.env.local
STACK_PROJECT_ID=<your-project-id> # if desired, prefix with your framework's convention for client-exposed variables (e.g. NEXT_PUBLIC_, VITE_, etc.)
STACK_SECRET_SERVER_KEY=<your-secret-server-key>
StackServerApp constructor.Creating a <StackProvider /> and <StackTheme />
In React frameworks, Stack Auth provides
StackProvider and StackTheme components that should wrap your entire app at the root level.You can do this in the layout.tsx file in the app directory:src/app/layout.tsx
import { Suspense } from "react";
import { StackProvider, StackTheme } from "@stackframe/stack";
import { stackServerApp } from "@/stack/server";
export default function RootLayout({ children }: { children: React.ReactNode }) {
return (
<StackProvider app={stackServerApp}>
<StackTheme>
{children}
</StackTheme>
</StackProvider>
);
}
Add Suspense boundary
Stack Auth also provides additional
useXyz React hooks for getXyz/listXyz functions. For example, useUser is like getUser, but as a suspending React hook.To support the suspension, you need to add a suspense boundary around your app.In Next.js, this can be easily done by adding a loading.tsx file in the app directory:src/app/loading.tsx
export default function Loading() {
return <div>Loading...</div>;
}
React SDK Setup Instructions
Follow these instructions in order to set up and get started with the Stack Auth SDK for React .Install dependencies
First, install the
@stackframe/react npm package with your preferred package manager:npm i @stackframe/react
# or: pnpm i @stackframe/react
# or: yarn add @stackframe/react
# or: bun add @stackframe/react
Initializing the Stack App
Next, let us create the Stack App object for your project. This is the most important object in a Stack Auth project.In a frontend where you cannot keep a secret key safe, you would use the
StackClientApp constructor:src/stack/client.ts
import { StackClientApp } from "@stackframe/react";
export const stackClientApp = new StackClientApp({
tokenStore: "cookie", // "nextjs-cookie" for Next.js, "cookie" for other web frontends, null for backend environments
});
Setting up the project
It’s now time to create a development setup for Stack Auth.You can either run Stack Auth locally, or connect to a project hosted in the cloud.
Option 1: Running Stack Auth locally (recommended)
Option 1: Running Stack Auth locally (recommended)
First, create a To run your application with Stack Auth, you then need to start the emulator and set environment variables expected by your application. The
stack.config.ts configuration file in the root directory of the workspace (or anywhere else):stack.config.ts
import type { StackConfig } from "@stackframe/react";
// default: show-onboarding, which shows the onboarding flow for this project when Stack Auth starts
export const config: StackConfig = "show-onboarding";
emulator run CLI command does both of these, so you can simply wrap your existing dev script in your package.json:package.json
{
// ...
"scripts": {
// ...
"dev": "npx @stackframe/stack-cli emulator run --config-file ./stack.config.ts -- <your-existing-dev-script>"
}
}
Option 2: Connecting a cloud project
Option 2: Connecting a cloud project
If you’d rather run your development environment on our infrastructure, or you already have an existing product, you can also connect a cloud project.This process is slightly different depending on whether you’re setting up a frontend or a backend (whether your app can keep a secret key safe or not).Alternatively, you can also just set the project ID in the They’ll automatically be picked up by the
Frontend
Go to your project’s dashboard on app.stack-auth.com and get the project ID. You can find it in the URL after the/projects/ part. Copy-paste it into your .env.local file (or wherever your environment variables are stored):.env.local
STACK_PROJECT_ID=<your-project-id> # if available, prefix with your framework's convention for client-exposed variables (e.g. NEXT_PUBLIC_, VITE_, etc.)
stack/client.ts file:src/stack/client.ts
export const stackClientApp = new StackClientApp({
// ...
projectId: "your-project-id",
});
Backend (or both frontend and backend)
First, navigate to the Project Keys page in the Stack Auth dashboard and generate a new set of keys.Then, copy-paste them into your.env.local file (or wherever your environment variables are stored):.env.local
STACK_PROJECT_ID=<your-project-id> # if desired, prefix with your framework's convention for client-exposed variables (e.g. NEXT_PUBLIC_, VITE_, etc.)
STACK_SECRET_SERVER_KEY=<your-secret-server-key>
StackServerApp constructor.Creating a <StackProvider /> and <StackTheme />
In React frameworks, Stack Auth provides
StackProvider and StackTheme components that should wrap your entire app at the root level.For example, if you have an App.tsx file, update it as follows:src/App.tsx
import { StackProvider, StackTheme } from "@stackframe/react";
import { stackClientApp } from "./stack/client";
export default function App() {
return (
<StackProvider app={stackClientApp}>
<StackTheme>
{/* your app content */}
</StackTheme>
</StackProvider>
);
}
Add Suspense boundary
Stack Auth also provides additional
useXyz React hooks for getXyz/listXyz functions. For example, useUser is like getUser, but as a suspending React hook.To support the suspension, you need to add a suspense boundary around your app.The easiest way to do this is to just wrap your entire app in a Suspense component:src/App.tsx
import { Suspense } from "react";
import { StackProvider, StackTheme } from "@stackframe/react";
import { stackClientApp } from "./stack/client";
export default function App() {
return (
<Suspense fallback={<div>Loading...</div>}>
<StackProvider app={stackClientApp}>
<StackTheme>
{/* your app content */}
</StackTheme>
</StackProvider>
</Suspense>
);
}
Other JS/TS SDK Setup Instructions
Follow these instructions in order to set up and get started with the Stack Auth SDK for Other JS/TS .Install dependencies
First, install the
@stackframe/js npm package with your preferred package manager:npm i @stackframe/js
# or: pnpm i @stackframe/js
# or: yarn add @stackframe/js
# or: bun add @stackframe/js
Initializing the Stack App
Next, let us create the Stack App object for your project. This is the most important object in a Stack Auth project.In a frontend where you cannot keep a secret key safe, you would use the In a backend where you can keep a secret key safe, you can use the In frameworks that are both front- and backend, like Next.js, you can also create a
StackClientApp constructor:src/stack/client.ts
import { StackClientApp } from "@stackframe/js";
export const stackClientApp = new StackClientApp({
tokenStore: "cookie", // "nextjs-cookie" for Next.js, "cookie" for other web frontends, null for backend environments
});
StackServerApp, which provides access to more sensitive APIs compared to StackClientApp:src/stack/server.ts
import { StackServerApp } from "@stackframe/js";
export const stackServerApp = new StackServerApp({
tokenStore: null,
});
StackServerApp from a StackClientApp object:src/stack/server.ts
import { StackServerApp } from "@stackframe/js";
import { stackClientApp } from "./client";
export const stackServerApp = new StackServerApp({
inheritsFrom: stackClientApp,
});
Setting up the project
It’s now time to create a development setup for Stack Auth.You can either run Stack Auth locally, or connect to a project hosted in the cloud.
Option 1: Running Stack Auth locally (recommended)
Option 1: Running Stack Auth locally (recommended)
First, create a To run your application with Stack Auth, you then need to start the emulator and set environment variables expected by your application. The
stack.config.ts configuration file in the root directory of the workspace (or anywhere else):stack.config.ts
import type { StackConfig } from "@stackframe/js";
// default: show-onboarding, which shows the onboarding flow for this project when Stack Auth starts
export const config: StackConfig = "show-onboarding";
emulator run CLI command does both of these, so you can simply wrap your existing dev script in your package.json:package.json
{
// ...
"scripts": {
// ...
"dev": "npx @stackframe/stack-cli emulator run --config-file ./stack.config.ts -- <your-existing-dev-script>"
}
}
Option 2: Connecting a cloud project
Option 2: Connecting a cloud project
If you’d rather run your development environment on our infrastructure, or you already have an existing product, you can also connect a cloud project.This process is slightly different depending on whether you’re setting up a frontend or a backend (whether your app can keep a secret key safe or not).Alternatively, you can also just set the project ID in the They’ll automatically be picked up by the
Frontend
Go to your project’s dashboard on app.stack-auth.com and get the project ID. You can find it in the URL after the/projects/ part. Copy-paste it into your .env.local file (or wherever your environment variables are stored):.env.local
STACK_PROJECT_ID=<your-project-id> # if available, prefix with your framework's convention for client-exposed variables (e.g. NEXT_PUBLIC_, VITE_, etc.)
stack/client.ts file:src/stack/client.ts
export const stackClientApp = new StackClientApp({
// ...
projectId: "your-project-id",
});
Backend (or both frontend and backend)
First, navigate to the Project Keys page in the Stack Auth dashboard and generate a new set of keys.Then, copy-paste them into your.env.local file (or wherever your environment variables are stored):.env.local
STACK_PROJECT_ID=<your-project-id> # if desired, prefix with your framework's convention for client-exposed variables (e.g. NEXT_PUBLIC_, VITE_, etc.)
STACK_SECRET_SERVER_KEY=<your-secret-server-key>
StackServerApp constructor.Backend: Update callers with header & get user
You are now ready to use the Stack Auth SDK. If you have any frontends calling your backend endpoints, you may want to pass along the Stack Auth tokens in a header such that you can access the same user object on your backend.The most ergonomic way to do this is to pass the result of In most backend frameworks you can then access the user object by passing the request object as a This will work as long as
stackClientApp.getAuthorizationHeader() as the Authorization header into your backend endpoints when the user is signed in:// NOTE: This is your frontend's code
const authorizationHeader = await stackClientApp.getAuthorizationHeader();
const response = await fetch("/my-backend-endpoint", {
headers: {
...(authorizationHeader ? { Authorization: authorizationHeader } : {}),
},
});
// ...
tokenStore of the functions that access the user object:// NOTE: This is your backend's code
const user = await stackServerApp.getUser({ tokenStore: request });
return new Response("Hello, " + user.displayName, { headers: { "Cache-Control": "private, no-store" } });
request is an object that follows the shape { headers: Record<string, string | null> | { get: (name: string) => string | null } }.
Make sure that HTTP caching is disabled with Cache-Control: private, no-store for authenticated backend endpoints.
If you cannot use getAuthorizationHeader(), for example because you are using a protocol other than HTTP, you can use getAuthJson() instead:// Frontend:
await rpcCall("my-rpc-endpoint", {
data: {
auth: await stackClientApp.getAuthJson(),
},
});
// Backend:
const user = await stackServerApp.getUser({ tokenStore: data.auth });
return new RpcResponse("Hello, " + user.displayName);
Tanstack Start SDK Setup Instructions
Follow these instructions in order to set up and get started with the Stack Auth SDK for Tanstack Start .Install dependencies
First, install the
@stackframe/react npm package with your preferred package manager:npm i @stackframe/react
# or: pnpm i @stackframe/react
# or: yarn add @stackframe/react
# or: bun add @stackframe/react
Initializing the Stack App
Next, let us create the Stack App object for your project. This is the most important object in a Stack Auth project.In a frontend where you cannot keep a secret key safe, you would use the
StackClientApp constructor:src/stack/client.ts
import { StackClientApp } from "@stackframe/react";
export const stackClientApp = new StackClientApp({
tokenStore: "cookie", // "nextjs-cookie" for Next.js, "cookie" for other web frontends, null for backend environments
});
Setting up the project
It’s now time to create a development setup for Stack Auth.You can either run Stack Auth locally, or connect to a project hosted in the cloud.
Option 1: Running Stack Auth locally (recommended)
Option 1: Running Stack Auth locally (recommended)
First, create a To run your application with Stack Auth, you then need to start the emulator and set environment variables expected by your application. The
stack.config.ts configuration file in the root directory of the workspace (or anywhere else):stack.config.ts
import type { StackConfig } from "@stackframe/react";
// default: show-onboarding, which shows the onboarding flow for this project when Stack Auth starts
export const config: StackConfig = "show-onboarding";
emulator run CLI command does both of these, so you can simply wrap your existing dev script in your package.json:package.json
{
// ...
"scripts": {
// ...
"dev": "npx @stackframe/stack-cli emulator run --config-file ./stack.config.ts -- <your-existing-dev-script>"
}
}
Option 2: Connecting a cloud project
Option 2: Connecting a cloud project
If you’d rather run your development environment on our infrastructure, or you already have an existing product, you can also connect a cloud project.This process is slightly different depending on whether you’re setting up a frontend or a backend (whether your app can keep a secret key safe or not).Alternatively, you can also just set the project ID in the They’ll automatically be picked up by the
Frontend
Go to your project’s dashboard on app.stack-auth.com and get the project ID. You can find it in the URL after the/projects/ part. Copy-paste it into your .env.local file (or wherever your environment variables are stored):.env.local
STACK_PROJECT_ID=<your-project-id> # if available, prefix with your framework's convention for client-exposed variables (e.g. NEXT_PUBLIC_, VITE_, etc.)
stack/client.ts file:src/stack/client.ts
export const stackClientApp = new StackClientApp({
// ...
projectId: "your-project-id",
});
Backend (or both frontend and backend)
First, navigate to the Project Keys page in the Stack Auth dashboard and generate a new set of keys.Then, copy-paste them into your.env.local file (or wherever your environment variables are stored):.env.local
STACK_PROJECT_ID=<your-project-id> # if desired, prefix with your framework's convention for client-exposed variables (e.g. NEXT_PUBLIC_, VITE_, etc.)
STACK_SECRET_SERVER_KEY=<your-secret-server-key>
StackServerApp constructor.Creating a <StackProvider /> and <StackTheme />
In React frameworks, Stack Auth provides
StackProvider and StackTheme components that should wrap your entire app at the root level.For example, if you have an App.tsx file, update it as follows:src/App.tsx
import { StackProvider, StackTheme } from "@stackframe/react";
import { stackClientApp } from "./stack/client";
export default function App() {
return (
<StackProvider app={stackClientApp}>
<StackTheme>
{/* your app content */}
</StackTheme>
</StackProvider>
);
}
Add Suspense boundary
Stack Auth also provides additional
useXyz React hooks for getXyz/listXyz functions. For example, useUser is like getUser, but as a suspending React hook.To support the suspension, you need to add a suspense boundary around your app.The easiest way to do this is to just wrap your entire app in a Suspense component:src/App.tsx
import { Suspense } from "react";
import { StackProvider, StackTheme } from "@stackframe/react";
import { stackClientApp } from "./stack/client";
export default function App() {
return (
<Suspense fallback={<div>Loading...</div>}>
<StackProvider app={stackClientApp}>
<StackTheme>
{/* your app content */}
</StackTheme>
</StackProvider>
</Suspense>
);
}
Node.js SDK Setup Instructions
Follow these instructions in order to set up and get started with the Stack Auth SDK for Node.js .Install dependencies
First, install the
@stackframe/js npm package with your preferred package manager:npm i @stackframe/js
# or: pnpm i @stackframe/js
# or: yarn add @stackframe/js
# or: bun add @stackframe/js
Initializing the Stack App
Next, let us create the Stack App object for your project. This is the most important object in a Stack Auth project.In a backend where you can keep a secret key safe, you can use the
StackServerApp, which provides access to more sensitive APIs compared to StackClientApp:src/stack/server.ts
import { StackServerApp } from "@stackframe/js";
export const stackServerApp = new StackServerApp({
tokenStore: null,
});
Setting up the project
It’s now time to create a development setup for Stack Auth.You can either run Stack Auth locally, or connect to a project hosted in the cloud.
Option 1: Running Stack Auth locally (recommended)
Option 1: Running Stack Auth locally (recommended)
First, create a To run your application with Stack Auth, you then need to start the emulator and set environment variables expected by your application. The
stack.config.ts configuration file in the root directory of the workspace (or anywhere else):stack.config.ts
import type { StackConfig } from "@stackframe/js";
// default: show-onboarding, which shows the onboarding flow for this project when Stack Auth starts
export const config: StackConfig = "show-onboarding";
emulator run CLI command does both of these, so you can simply wrap your existing dev script in your package.json:package.json
{
// ...
"scripts": {
// ...
"dev": "npx @stackframe/stack-cli emulator run --config-file ./stack.config.ts -- <your-existing-dev-script>"
}
}
Option 2: Connecting a cloud project
Option 2: Connecting a cloud project
If you’d rather run your development environment on our infrastructure, or you already have an existing product, you can also connect a cloud project.This process is slightly different depending on whether you’re setting up a frontend or a backend (whether your app can keep a secret key safe or not).Alternatively, you can also just set the project ID in the They’ll automatically be picked up by the
Frontend
Go to your project’s dashboard on app.stack-auth.com and get the project ID. You can find it in the URL after the/projects/ part. Copy-paste it into your .env.local file (or wherever your environment variables are stored):.env.local
STACK_PROJECT_ID=<your-project-id> # if available, prefix with your framework's convention for client-exposed variables (e.g. NEXT_PUBLIC_, VITE_, etc.)
stack/client.ts file:src/stack/client.ts
export const stackClientApp = new StackClientApp({
// ...
projectId: "your-project-id",
});
Backend (or both frontend and backend)
First, navigate to the Project Keys page in the Stack Auth dashboard and generate a new set of keys.Then, copy-paste them into your.env.local file (or wherever your environment variables are stored):.env.local
STACK_PROJECT_ID=<your-project-id> # if desired, prefix with your framework's convention for client-exposed variables (e.g. NEXT_PUBLIC_, VITE_, etc.)
STACK_SECRET_SERVER_KEY=<your-secret-server-key>
StackServerApp constructor.Update callers with header & get user
You are now ready to use the Stack Auth SDK. If you have any frontends calling your backend endpoints, you may want to pass along the Stack Auth tokens in a header such that you can access the same user object on your backend.The most ergonomic way to do this is to pass the result of In most backend frameworks you can then access the user object by passing the request object as a This will work as long as
stackClientApp.getAuthorizationHeader() as the Authorization header into your backend endpoints when the user is signed in:// NOTE: This is your frontend's code
const authorizationHeader = await stackClientApp.getAuthorizationHeader();
const response = await fetch("/my-backend-endpoint", {
headers: {
...(authorizationHeader ? { Authorization: authorizationHeader } : {}),
},
});
// ...
tokenStore of the functions that access the user object:// NOTE: This is your backend's code
const user = await stackServerApp.getUser({ tokenStore: request });
return new Response("Hello, " + user.displayName, { headers: { "Cache-Control": "private, no-store" } });
request is an object that follows the shape { headers: Record<string, string | null> | { get: (name: string) => string | null } }.
Make sure that HTTP caching is disabled with Cache-Control: private, no-store for authenticated backend endpoints.
If you cannot use getAuthorizationHeader(), for example because you are using a protocol other than HTTP, you can use getAuthJson() instead:// Frontend:
await rpcCall("my-rpc-endpoint", {
data: {
auth: await stackClientApp.getAuthJson(),
},
});
// Backend:
const user = await stackServerApp.getUser({ tokenStore: data.auth });
return new RpcResponse("Hello, " + user.displayName);
Bun SDK Setup Instructions
Follow these instructions in order to set up and get started with the Stack Auth SDK for Bun .Install dependencies
First, install the
@stackframe/js npm package with your preferred package manager:npm i @stackframe/js
# or: pnpm i @stackframe/js
# or: yarn add @stackframe/js
# or: bun add @stackframe/js
Initializing the Stack App
Next, let us create the Stack App object for your project. This is the most important object in a Stack Auth project.In a backend where you can keep a secret key safe, you can use the
StackServerApp, which provides access to more sensitive APIs compared to StackClientApp:src/stack/server.ts
import { StackServerApp } from "@stackframe/js";
export const stackServerApp = new StackServerApp({
tokenStore: null,
});
Setting up the project
It’s now time to create a development setup for Stack Auth.You can either run Stack Auth locally, or connect to a project hosted in the cloud.
Option 1: Running Stack Auth locally (recommended)
Option 1: Running Stack Auth locally (recommended)
First, create a To run your application with Stack Auth, you then need to start the emulator and set environment variables expected by your application. The
stack.config.ts configuration file in the root directory of the workspace (or anywhere else):stack.config.ts
import type { StackConfig } from "@stackframe/js";
// default: show-onboarding, which shows the onboarding flow for this project when Stack Auth starts
export const config: StackConfig = "show-onboarding";
emulator run CLI command does both of these, so you can simply wrap your existing dev script in your package.json:package.json
{
// ...
"scripts": {
// ...
"dev": "npx @stackframe/stack-cli emulator run --config-file ./stack.config.ts -- <your-existing-dev-script>"
}
}
Option 2: Connecting a cloud project
Option 2: Connecting a cloud project
If you’d rather run your development environment on our infrastructure, or you already have an existing product, you can also connect a cloud project.This process is slightly different depending on whether you’re setting up a frontend or a backend (whether your app can keep a secret key safe or not).Alternatively, you can also just set the project ID in the They’ll automatically be picked up by the
Frontend
Go to your project’s dashboard on app.stack-auth.com and get the project ID. You can find it in the URL after the/projects/ part. Copy-paste it into your .env.local file (or wherever your environment variables are stored):.env.local
STACK_PROJECT_ID=<your-project-id> # if available, prefix with your framework's convention for client-exposed variables (e.g. NEXT_PUBLIC_, VITE_, etc.)
stack/client.ts file:src/stack/client.ts
export const stackClientApp = new StackClientApp({
// ...
projectId: "your-project-id",
});
Backend (or both frontend and backend)
First, navigate to the Project Keys page in the Stack Auth dashboard and generate a new set of keys.Then, copy-paste them into your.env.local file (or wherever your environment variables are stored):.env.local
STACK_PROJECT_ID=<your-project-id> # if desired, prefix with your framework's convention for client-exposed variables (e.g. NEXT_PUBLIC_, VITE_, etc.)
STACK_SECRET_SERVER_KEY=<your-secret-server-key>
StackServerApp constructor.Update callers with header & get user
You are now ready to use the Stack Auth SDK. If you have any frontends calling your backend endpoints, you may want to pass along the Stack Auth tokens in a header such that you can access the same user object on your backend.The most ergonomic way to do this is to pass the result of In most backend frameworks you can then access the user object by passing the request object as a This will work as long as
stackClientApp.getAuthorizationHeader() as the Authorization header into your backend endpoints when the user is signed in:// NOTE: This is your frontend's code
const authorizationHeader = await stackClientApp.getAuthorizationHeader();
const response = await fetch("/my-backend-endpoint", {
headers: {
...(authorizationHeader ? { Authorization: authorizationHeader } : {}),
},
});
// ...
tokenStore of the functions that access the user object:// NOTE: This is your backend's code
const user = await stackServerApp.getUser({ tokenStore: request });
return new Response("Hello, " + user.displayName, { headers: { "Cache-Control": "private, no-store" } });
request is an object that follows the shape { headers: Record<string, string | null> | { get: (name: string) => string | null } }.
Make sure that HTTP caching is disabled with Cache-Control: private, no-store for authenticated backend endpoints.
If you cannot use getAuthorizationHeader(), for example because you are using a protocol other than HTTP, you can use getAuthJson() instead:// Frontend:
await rpcCall("my-rpc-endpoint", {
data: {
auth: await stackClientApp.getAuthJson(),
},
});
// Backend:
const user = await stackServerApp.getUser({ tokenStore: data.auth });
return new RpcResponse("Hello, " + user.displayName);
Convex Setup
Follow these instructions to integrate Stack Auth with Convex.Create or identify the Convex app
If the project does not already use Convex, initialize a Convex + Next.js app:When prompted, choose Next.js and No auth. Stack Auth will provide auth.During development, run the Convex backend and the app dev server:
npm create convex@latest
npx convex dev
npm run dev
Install and configure Stack Auth
Install Stack Auth in the app. If you have not already completed the SDK setup steps above, run the setup wizard:Create or select a Stack Auth project in the dashboard. Copy the Stack Auth environment variables into the app’s
npx @stackframe/stack-cli@latest init
.env.local file.Also add the same Stack Auth environment variables to the Convex deployment environment in the Convex dashboard.Configure Convex auth providers
Create or update
convex/auth.config.ts:convex/auth.config.ts
import { getConvexProvidersConfig } from "@stackframe/js";
// or: import { getConvexProvidersConfig } from "@stackframe/react";
// or: import { getConvexProvidersConfig } from "@stackframe/stack";
export default {
providers: getConvexProvidersConfig({
projectId: process.env.STACK_PROJECT_ID, // or process.env.NEXT_PUBLIC_STACK_PROJECT_ID
}),
};
Connect Convex clients to Stack Auth
Update the Convex client setup so Convex receives Stack Auth tokens.In browser JavaScript:In React:For Convex HTTP clients on the server, pass a request-like token store:
convexClient.setAuth(stackClientApp.getConvexClientAuth({}));
convexReactClient.setAuth(stackClientApp.getConvexClientAuth({}));
convexHttpClient.setAuth(stackClientApp.getConvexHttpClientAuth({ tokenStore: requestObject }));
Use Stack Auth user data in Convex functions
In Convex queries and mutations, use Stack Auth’s Convex integration to read the current user.
convex/myFunctions.ts
import { query } from "./_generated/server";
import { stackServerApp } from "../src/stack/server";
export const myQuery = query({
handler: async (ctx, args) => {
const user = await stackServerApp.getPartialUser({ from: "convex", ctx });
return user;
},
});
Supabase Setup
This setup covers Supabase Row Level Security (RLS) with Stack Auth JWTs. It does not sync user data between Supabase and Stack Auth. Use Stack Auth webhooks if you need data sync.
Create Supabase RLS policies
In the Supabase SQL editor, enable Row Level Security for your tables and write policies based on Supabase JWT claims.For example, this sample table demonstrates public rows, authenticated rows, and user-owned rows:
CREATE TABLE data (
id bigint PRIMARY KEY,
text text NOT NULL,
user_id UUID
);
INSERT INTO data (id, text, user_id) VALUES
(1, 'Everyone can see this', NULL),
(2, 'Only authenticated users can see this', NULL),
(3, 'Only user with specific id can see this', NULL);
ALTER TABLE data ENABLE ROW LEVEL SECURITY;
CREATE POLICY "Public read" ON "public"."data" TO public
USING (id = 1);
CREATE POLICY "Authenticated access" ON "public"."data" TO authenticated
USING (id = 2);
CREATE POLICY "User access" ON "public"."data" TO authenticated
USING (id = 3 AND auth.uid() = user_id);
Install Stack Auth and Supabase dependencies
If you are starting from scratch with Next.js, you can use Supabase’s template and then initialize Stack Auth:Add the Supabase environment variables to Also add the Stack Auth environment variables:
npx create-next-app@latest -e with-supabase stack-supabase
cd stack-supabase
npx @stackframe/stack-cli@latest init
.env.local:.env.local
NEXT_PUBLIC_SUPABASE_URL=<your-supabase-url>
NEXT_PUBLIC_SUPABASE_ANON_KEY=<your-supabase-anon-key>
SUPABASE_JWT_SECRET=<your-supabase-jwt-secret>
.env.local
NEXT_PUBLIC_STACK_PROJECT_ID=<your-stack-project-id>
NEXT_PUBLIC_STACK_PUBLISHABLE_CLIENT_KEY=<your-publishable-client-key>
STACK_SECRET_SERVER_KEY=<your-secret-server-key>
Mint Supabase JWTs from Stack Auth users
Create a server action that signs a Supabase JWT using the current Stack Auth user ID:
utils/actions.ts
'use server';
import { stackServerApp } from "@/stack/server";
import * as jose from "jose";
export const getSupabaseJwt = async () => {
const user = await stackServerApp.getUser();
if (!user) {
return null;
}
const token = await new jose.SignJWT({
sub: user.id,
role: "authenticated",
})
.setProtectedHeader({ alg: "HS256" })
.setIssuedAt()
.setExpirationTime("1h")
.sign(new TextEncoder().encode(process.env.SUPABASE_JWT_SECRET));
return token;
};
Create a Supabase client that uses the Stack Auth JWT
Create a helper that passes the server-generated JWT to Supabase:
utils/supabase-client.ts
import { createBrowserClient } from "@supabase/ssr";
import { getSupabaseJwt } from "./actions";
export const createSupabaseClient = () => {
return createBrowserClient(
process.env.NEXT_PUBLIC_SUPABASE_URL!,
process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
{ accessToken: async () => await getSupabaseJwt() || "" },
);
};
Fetch Supabase data
Use the Supabase client from your UI. The RLS policies will decide which rows the user can read based on the Stack Auth user ID embedded in the Supabase JWT.
app/page.tsx
'use client';
import { createSupabaseClient } from "@/utils/supabase-client";
import { useStackApp, useUser } from "@stackframe/stack";
import Link from "next/link";
import { useEffect, useState } from "react";
export default function Page() {
const app = useStackApp();
const user = useUser();
const supabase = createSupabaseClient();
const [data, setData] = useState<null | any[]>(null);
useEffect(() => {
supabase.from("data").select().then(({ data }) => setData(data ?? []));
}, []);
const listContent = data === null
? <p>Loading...</p>
: data.length === 0
? <p>No notes found</p>
: data.map((note) => <li key={note.id}>{note.text}</li>);
return (
<div>
{user ? (
<>
<p>You are signed in</p>
<p>User ID: {user.id}</p>
<Link href={app.urls.signOut}>Sign Out</Link>
</>
) : (
<Link href={app.urls.signIn}>Sign In</Link>
)}
<h3>Supabase data</h3>
<ul>{listContent}</ul>
</div>
);
}
CLI Setup
Follow these instructions to authenticate users in a command line application with Stack Auth.Add the CLI auth template
Download the Stack Auth CLI authentication template and place it in your project. For Python apps, copy it as
stack_auth_cli_template.py.Example project layout:my-python-app/
├─ main.py
└─ stack_auth_cli_template.py
Prompt the user to log in
Import and call You can store the refresh token in a local file or keychain and only prompt the user again when no saved refresh token exists.
prompt_cli_login. It opens the browser, lets the user authenticate, and returns a refresh token.main.py
from stack_auth_cli_template import prompt_cli_login
refresh_token = prompt_cli_login(
app_url="https://your-app-url.example.com",
project_id="your-project-id-here",
publishable_client_key="your-publishable-client-key-here",
)
if refresh_token is None:
print("User cancelled the login process. Exiting")
exit(1)
Exchange the refresh token for an access token
Use the refresh token with Stack Auth’s REST API to get an access token.
def get_access_token(refresh_token):
access_token_response = stack_auth_request(
"post",
"/api/v1/auth/sessions/current/refresh",
headers={
"x-stack-refresh-token": refresh_token,
},
)
return access_token_response["access_token"]
Fetch the current user
Use the access token to call the Stack Auth REST API as the logged-in user.
def get_user_object(access_token):
return stack_auth_request(
"get",
"/api/v1/users/me",
headers={
"x-stack-access-token": access_token,
},
)
user = get_user_object(get_access_token(refresh_token))
print("The user is logged in as", user["display_name"] or user["primary_email"])