next-token-auth 1.0.8 → 1.0.10

package/README.md

@@ -287,6 +287,44 @@ The hook waits for `isLoading` to be `false` before acting, so it won't flash a
 
 ---
 
+### Making Authenticated API Requests
+
+When you need to call your own backend endpoints that require an access token, use `client.fetch` from the `useAuth` hook. It automatically injects `Authorization: Bearer <token>` and handles 401 → refresh → retry for you.
+
+```ts
+"use client";
+
+import { useAuth } from "next-token-auth/react";
+
+export default function Orders() {
+  const { client } = useAuth();
+
+  async function fetchOrders() {
+    const res = await client.fetch("https://api.example.com/orders");
+    const data = await res.json();
+    console.log(data);
+  }
+
+  return <button onClick={fetchOrders}>Load Orders</button>;
+}
+```
+
+You can also read the token directly from the session if you need to pass it manually:
+
+```ts
+const { session } = useAuth();
+
+const res = await fetch("https://api.example.com/orders", {
+  headers: {
+    Authorization: `Bearer ${session.tokens?.accessToken}`,
+  },
+});
+```
+
+`client.fetch` is the recommended approach — it keeps your requests resilient to token expiry without any extra work on your end.
+
+---
+
 ### Protecting API Routes with `withAuth`
 
 Wrap App Router route handlers to require authentication:

package/dist/index-ChpgBFYz.d.mts

@@ -0,0 +1,91 @@
+type ExpiryInput = number | string;
+type ExpiryStrategy = "backend" | "config" | "hybrid";
+interface AuthTokens {
+    accessToken: string;
+    refreshToken: string;
+    /** Unix timestamp (ms) */
+    accessTokenExpiresAt: number;
+    /** Unix timestamp (ms) */
+    refreshTokenExpiresAt?: number;
+}
+interface AuthSession<User = unknown> {
+    user: User | null;
+    tokens: AuthTokens | null;
+    isAuthenticated: boolean;
+}
+interface LoginInput {
+    [key: string]: unknown;
+}
+interface LoginResponse<User = unknown> {
+    user: User;
+    accessToken: string;
+    refreshToken: string;
+    /** Seconds until access token expires (legacy field) */
+    expiresIn?: number;
+    accessTokenExpiresIn?: number | string;
+    refreshTokenExpiresIn?: number | string;
+}
+interface AuthConfig<User = unknown> {
+    /** Base URL of your backend API */
+    baseUrl: string;
+    endpoints: {
+        login: string;
+        register?: string;
+        refresh: string;
+        logout?: string;
+        /** Endpoint to fetch the current user profile */
+        me?: string;
+    };
+    routes?: {
+        /** Paths that are always accessible without auth */
+        public: string[];
+        /** Paths that require authentication */
+        protected: string[];
+        /**
+         * Paths only accessible when NOT authenticated (e.g. /login, /register).
+         * Authenticated users are redirected to `redirectAuthenticatedTo`.
+         */
+        guestOnly?: string[];
+        /**
+         * Where to redirect authenticated users who visit a guestOnly route.
+         * @default "/dashboard"
+         */
+        redirectAuthenticatedTo?: string;
+    };
+    token: {
+        storage: "cookie" | "memory";
+        cookieName?: string;
+        secure?: boolean;
+        sameSite?: "strict" | "lax" | "none";
+    };
+    /** Secret used for encrypting stored tokens */
+    secret: string;
+    /** Automatically refresh access token before expiry */
+    autoRefresh?: boolean;
+    /**
+     * Seconds before expiry to trigger a proactive refresh.
+     * @default 60
+     */
+    refreshThreshold?: number;
+    expiry?: {
+        accessTokenExpiresIn?: ExpiryInput;
+        refreshTokenExpiresIn?: ExpiryInput;
+        /**
+         * - "backend"  → trust expiresIn from API response
+         * - "config"   → use config values only
+         * - "hybrid"   → backend first, fallback to config
+         * @default "hybrid"
+         */
+        strategy?: ExpiryStrategy;
+    };
+    /** Optional custom fetch implementation */
+    fetchFn?: typeof fetch;
+    /** Called after a successful login */
+    onLogin?: (session: AuthSession<User>) => void;
+    /** Called after logout */
+    onLogout?: () => void;
+    /** Called when token refresh fails */
+    onRefreshError?: (error: unknown) => void;
+}
+
+export type { AuthConfig as A, ExpiryInput as E, LoginInput as L, AuthSession as a, AuthTokens as b, ExpiryStrategy as c, LoginResponse as d };

package/dist/index-ChpgBFYz.d.ts

@@ -0,0 +1,91 @@
+type ExpiryInput = number | string;
+type ExpiryStrategy = "backend" | "config" | "hybrid";
+interface AuthTokens {
+    accessToken: string;
+    refreshToken: string;
+    /** Unix timestamp (ms) */
+    accessTokenExpiresAt: number;
+    /** Unix timestamp (ms) */
+    refreshTokenExpiresAt?: number;
+}
+interface AuthSession<User = unknown> {
+    user: User | null;
+    tokens: AuthTokens | null;
+    isAuthenticated: boolean;
+}
+interface LoginInput {
+    [key: string]: unknown;
+}
+interface LoginResponse<User = unknown> {
+    user: User;
+    accessToken: string;
+    refreshToken: string;
+    /** Seconds until access token expires (legacy field) */
+    expiresIn?: number;
+    accessTokenExpiresIn?: number | string;
+    refreshTokenExpiresIn?: number | string;
+}
+interface AuthConfig<User = unknown> {
+    /** Base URL of your backend API */
+    baseUrl: string;
+    endpoints: {
+        login: string;
+        register?: string;
+        refresh: string;
+        logout?: string;
+        /** Endpoint to fetch the current user profile */
+        me?: string;
+    };
+    routes?: {
+        /** Paths that are always accessible without auth */
+        public: string[];
+        /** Paths that require authentication */
+        protected: string[];
+        /**
+         * Paths only accessible when NOT authenticated (e.g. /login, /register).
+         * Authenticated users are redirected to `redirectAuthenticatedTo`.
+         */
+        guestOnly?: string[];
+        /**
+         * Where to redirect authenticated users who visit a guestOnly route.
+         * @default "/dashboard"
+         */
+        redirectAuthenticatedTo?: string;
+    };
+    token: {
+        storage: "cookie" | "memory";
+        cookieName?: string;
+        secure?: boolean;
+        sameSite?: "strict" | "lax" | "none";
+    };
+    /** Secret used for encrypting stored tokens */
+    secret: string;
+    /** Automatically refresh access token before expiry */
+    autoRefresh?: boolean;
+    /**
+     * Seconds before expiry to trigger a proactive refresh.
+     * @default 60
+     */
+    refreshThreshold?: number;
+    expiry?: {
+        accessTokenExpiresIn?: ExpiryInput;
+        refreshTokenExpiresIn?: ExpiryInput;
+        /**
+         * - "backend"  → trust expiresIn from API response
+         * - "config"   → use config values only
+         * - "hybrid"   → backend first, fallback to config
+         * @default "hybrid"
+         */
+        strategy?: ExpiryStrategy;
+    };
+    /** Optional custom fetch implementation */
+    fetchFn?: typeof fetch;
+    /** Called after a successful login */
+    onLogin?: (session: AuthSession<User>) => void;
+    /** Called after logout */
+    onLogout?: () => void;
+    /** Called when token refresh fails */
+    onRefreshError?: (error: unknown) => void;
+}
+
+export type { AuthConfig as A, ExpiryInput as E, LoginInput as L, AuthSession as a, AuthTokens as b, ExpiryStrategy as c, LoginResponse as d };

package/dist/index.d.mts

@@ -1,85 +1,8 @@
-import * as react_jsx_runtime from 'react/jsx-runtime';
-import React from 'react';
-
-type ExpiryInput = number | string;
-type ExpiryStrategy = "backend" | "config" | "hybrid";
-interface AuthTokens {
-    accessToken: string;
-    refreshToken: string;
-    /** Unix timestamp (ms) */
-    accessTokenExpiresAt: number;
-    /** Unix timestamp (ms) */
-    refreshTokenExpiresAt?: number;
-}
-interface AuthSession<User = unknown> {
-    user: User | null;
-    tokens: AuthTokens | null;
-    isAuthenticated: boolean;
-}
-interface LoginInput {
-    [key: string]: unknown;
-}
-interface LoginResponse<User = unknown> {
-    user: User;
-    accessToken: string;
-    refreshToken: string;
-    /** Seconds until access token expires (legacy field) */
-    expiresIn?: number;
-    accessTokenExpiresIn?: number | string;
-    refreshTokenExpiresIn?: number | string;
-}
-interface AuthConfig<User = unknown> {
-    /** Base URL of your backend API */
-    baseUrl: string;
-    endpoints: {
-        login: string;
-        register?: string;
-        refresh: string;
-        logout?: string;
-        /** Endpoint to fetch the current user profile */
-        me?: string;
-    };
-    routes?: {
-        /** Paths that are always accessible without auth */
-        public: string[];
-        /** Paths that require authentication */
-        protected: string[];
-    };
-    token: {
-        storage: "cookie" | "memory";
-        cookieName?: string;
-        secure?: boolean;
-        sameSite?: "strict" | "lax" | "none";
-    };
-    /** Secret used for encrypting stored tokens */
-    secret: string;
-    /** Automatically refresh access token before expiry */
-    autoRefresh?: boolean;
-    /**
-     * Seconds before expiry to trigger a proactive refresh.
-     * @default 60
-     */
-    refreshThreshold?: number;
-    expiry?: {
-        accessTokenExpiresIn?: ExpiryInput;
-        refreshTokenExpiresIn?: ExpiryInput;
-        /**
-         * - "backend"  → trust expiresIn from API response
-         * - "config"   → use config values only
-         * - "hybrid"   → backend first, fallback to config
-         * @default "hybrid"
-         */
-        strategy?: ExpiryStrategy;
-    };
-    /** Optional custom fetch implementation */
-    fetchFn?: typeof fetch;
-    /** Called after a successful login */
-    onLogin?: (session: AuthSession<User>) => void;
-    /** Called after logout */
-    onLogout?: () => void;
-    /** Called when token refresh fails */
-    onRefreshError?: (error: unknown) => void;
-}
+import { A as AuthConfig, b as AuthTokens, a as AuthSession, L as LoginInput, E as ExpiryInput } from './index-ChpgBFYz.mjs';
+export { c as ExpiryStrategy, d as LoginResponse } from './index-ChpgBFYz.mjs';
+export { AuthProvider, UseAuthReturn, UseRequireAuthOptions, useAuth, useRequireAuth, useSession } from './react/index.mjs';
+import 'react/jsx-runtime';
+import 'react';
 
 /**
  * Manages storage, retrieval, and expiry checks for auth tokens.
@@ -203,55 +126,6 @@ declare class AuthClient<User = unknown> {
     private notifyListeners;
 }
 
-interface AuthProviderProps<User = unknown> {
-    config: AuthConfig<User>;
-    children: React.ReactNode;
-}
-declare function AuthProvider<User = unknown>({ config, children, }: AuthProviderProps<User>): react_jsx_runtime.JSX.Element;
-
-interface UseAuthReturn<User = unknown> {
-    session: AuthSession<User>;
-    login: (input: LoginInput) => Promise<void>;
-    logout: () => Promise<void>;
-    refresh: () => Promise<void>;
-    isLoading: boolean;
-}
-/**
- * Primary hook for authentication operations.
- *
- * @example
- * const { session, login, logout, isLoading } = useAuth();
- */
-declare function useAuth<User = unknown>(): UseAuthReturn<User>;
-
-/**
- * Returns the current auth session without exposing login/logout actions.
- *
- * @example
- * const { user, isAuthenticated } = useSession();
- */
-declare function useSession<User = unknown>(): AuthSession<User>;
-
-interface UseRequireAuthOptions {
-    /** Path to redirect unauthenticated users to. @default "/login" */
-    redirectTo?: string;
-    /** Called when the user is not authenticated (use for custom redirect logic) */
-    onUnauthenticated?: () => void;
-}
-/**
- * Redirects unauthenticated users to the login page.
- * Works with both Next.js App Router and Pages Router.
- *
- * @example
- * // App Router (client component)
- * useRequireAuth({ redirectTo: "/login" });
- *
- * @example
- * // Custom handler
- * useRequireAuth({ onUnauthenticated: () => router.push("/login") });
- */
-declare function useRequireAuth(options?: UseRequireAuthOptions): void;
-
 /**
  * Parses an expiry value into seconds.
  * Accepts:
@@ -280,4 +154,4 @@ declare function encrypt(data: string, secret: string): Promise<string>;
  */
 declare function decrypt(data: string, secret: string): Promise<string>;
 
-export { AuthClient, type AuthConfig, AuthProvider, type AuthSession, type AuthTokens, type ExpiryInput, type ExpiryStrategy, HttpClient, type LoginInput, type LoginResponse, SessionManager, TokenManager, type UseAuthReturn, type UseRequireAuthOptions, decrypt, encrypt, parseExpiry, safeParseExpiry, useAuth, useRequireAuth, useSession };
+export { AuthClient, AuthConfig, AuthSession, AuthTokens, ExpiryInput, HttpClient, LoginInput, SessionManager, TokenManager, decrypt, encrypt, parseExpiry, safeParseExpiry };

package/dist/index.d.ts

@@ -1,85 +1,8 @@
-import * as react_jsx_runtime from 'react/jsx-runtime';
-import React from 'react';
-
-type ExpiryInput = number | string;
-type ExpiryStrategy = "backend" | "config" | "hybrid";
-interface AuthTokens {
-    accessToken: string;
-    refreshToken: string;
-    /** Unix timestamp (ms) */
-    accessTokenExpiresAt: number;
-    /** Unix timestamp (ms) */
-    refreshTokenExpiresAt?: number;
-}
-interface AuthSession<User = unknown> {
-    user: User | null;
-    tokens: AuthTokens | null;
-    isAuthenticated: boolean;
-}
-interface LoginInput {
-    [key: string]: unknown;
-}
-interface LoginResponse<User = unknown> {
-    user: User;
-    accessToken: string;
-    refreshToken: string;
-    /** Seconds until access token expires (legacy field) */
-    expiresIn?: number;
-    accessTokenExpiresIn?: number | string;
-    refreshTokenExpiresIn?: number | string;
-}
-interface AuthConfig<User = unknown> {
-    /** Base URL of your backend API */
-    baseUrl: string;
-    endpoints: {
-        login: string;
-        register?: string;
-        refresh: string;
-        logout?: string;
-        /** Endpoint to fetch the current user profile */
-        me?: string;
-    };
-    routes?: {
-        /** Paths that are always accessible without auth */
-        public: string[];
-        /** Paths that require authentication */
-        protected: string[];
-    };
-    token: {
-        storage: "cookie" | "memory";
-        cookieName?: string;
-        secure?: boolean;
-        sameSite?: "strict" | "lax" | "none";
-    };
-    /** Secret used for encrypting stored tokens */
-    secret: string;
-    /** Automatically refresh access token before expiry */
-    autoRefresh?: boolean;
-    /**
-     * Seconds before expiry to trigger a proactive refresh.
-     * @default 60
-     */
-    refreshThreshold?: number;
-    expiry?: {
-        accessTokenExpiresIn?: ExpiryInput;
-        refreshTokenExpiresIn?: ExpiryInput;
-        /**
-         * - "backend"  → trust expiresIn from API response
-         * - "config"   → use config values only
-         * - "hybrid"   → backend first, fallback to config
-         * @default "hybrid"
-         */
-        strategy?: ExpiryStrategy;
-    };
-    /** Optional custom fetch implementation */
-    fetchFn?: typeof fetch;
-    /** Called after a successful login */
-    onLogin?: (session: AuthSession<User>) => void;
-    /** Called after logout */
-    onLogout?: () => void;
-    /** Called when token refresh fails */
-    onRefreshError?: (error: unknown) => void;
-}
+import { A as AuthConfig, b as AuthTokens, a as AuthSession, L as LoginInput, E as ExpiryInput } from './index-ChpgBFYz.js';
+export { c as ExpiryStrategy, d as LoginResponse } from './index-ChpgBFYz.js';
+export { AuthProvider, UseAuthReturn, UseRequireAuthOptions, useAuth, useRequireAuth, useSession } from './react/index.js';
+import 'react/jsx-runtime';
+import 'react';
 
 /**
  * Manages storage, retrieval, and expiry checks for auth tokens.
@@ -203,55 +126,6 @@ declare class AuthClient<User = unknown> {
     private notifyListeners;
 }
 
-interface AuthProviderProps<User = unknown> {
-    config: AuthConfig<User>;
-    children: React.ReactNode;
-}
-declare function AuthProvider<User = unknown>({ config, children, }: AuthProviderProps<User>): react_jsx_runtime.JSX.Element;
-
-interface UseAuthReturn<User = unknown> {
-    session: AuthSession<User>;
-    login: (input: LoginInput) => Promise<void>;
-    logout: () => Promise<void>;
-    refresh: () => Promise<void>;
-    isLoading: boolean;
-}
-/**
- * Primary hook for authentication operations.
- *
- * @example
- * const { session, login, logout, isLoading } = useAuth();
- */
-declare function useAuth<User = unknown>(): UseAuthReturn<User>;
-
-/**
- * Returns the current auth session without exposing login/logout actions.
- *
- * @example
- * const { user, isAuthenticated } = useSession();
- */
-declare function useSession<User = unknown>(): AuthSession<User>;
-
-interface UseRequireAuthOptions {
-    /** Path to redirect unauthenticated users to. @default "/login" */
-    redirectTo?: string;
-    /** Called when the user is not authenticated (use for custom redirect logic) */
-    onUnauthenticated?: () => void;
-}
-/**
- * Redirects unauthenticated users to the login page.
- * Works with both Next.js App Router and Pages Router.
- *
- * @example
- * // App Router (client component)
- * useRequireAuth({ redirectTo: "/login" });
- *
- * @example
- * // Custom handler
- * useRequireAuth({ onUnauthenticated: () => router.push("/login") });
- */
-declare function useRequireAuth(options?: UseRequireAuthOptions): void;
-
 /**
  * Parses an expiry value into seconds.
  * Accepts:
@@ -280,4 +154,4 @@ declare function encrypt(data: string, secret: string): Promise<string>;
  */
 declare function decrypt(data: string, secret: string): Promise<string>;
 
-export { AuthClient, type AuthConfig, AuthProvider, type AuthSession, type AuthTokens, type ExpiryInput, type ExpiryStrategy, HttpClient, type LoginInput, type LoginResponse, SessionManager, TokenManager, type UseAuthReturn, type UseRequireAuthOptions, decrypt, encrypt, parseExpiry, safeParseExpiry, useAuth, useRequireAuth, useSession };
+export { AuthClient, AuthConfig, AuthSession, AuthTokens, ExpiryInput, HttpClient, LoginInput, SessionManager, TokenManager, decrypt, encrypt, parseExpiry, safeParseExpiry };

package/dist/react/index.d.mts

@@ -0,0 +1,54 @@
+import * as react_jsx_runtime from 'react/jsx-runtime';
+import React from 'react';
+import { A as AuthConfig, a as AuthSession, L as LoginInput } from '../index-ChpgBFYz.mjs';
+
+interface AuthProviderProps<User = unknown> {
+    config: AuthConfig<User>;
+    children: React.ReactNode;
+}
+declare function AuthProvider<User = unknown>({ config, children, }: AuthProviderProps<User>): react_jsx_runtime.JSX.Element;
+
+interface UseAuthReturn<User = unknown> {
+    session: AuthSession<User>;
+    login: (input: LoginInput) => Promise<void>;
+    logout: () => Promise<void>;
+    refresh: () => Promise<void>;
+    isLoading: boolean;
+}
+/**
+ * Primary hook for authentication operations.
+ *
+ * @example
+ * const { session, login, logout, isLoading } = useAuth();
+ */
+declare function useAuth<User = unknown>(): UseAuthReturn<User>;
+
+/**
+ * Returns the current auth session without exposing login/logout actions.
+ *
+ * @example
+ * const { user, isAuthenticated } = useSession();
+ */
+declare function useSession<User = unknown>(): AuthSession<User>;
+
+interface UseRequireAuthOptions {
+    /** Path to redirect unauthenticated users to. @default "/login" */
+    redirectTo?: string;
+    /** Called when the user is not authenticated (use for custom redirect logic) */
+    onUnauthenticated?: () => void;
+}
+/**
+ * Redirects unauthenticated users to the login page.
+ * Works with both Next.js App Router and Pages Router.
+ *
+ * @example
+ * // App Router (client component)
+ * useRequireAuth({ redirectTo: "/login" });
+ *
+ * @example
+ * // Custom handler
+ * useRequireAuth({ onUnauthenticated: () => router.push("/login") });
+ */
+declare function useRequireAuth(options?: UseRequireAuthOptions): void;
+
+export { AuthProvider, type UseAuthReturn, type UseRequireAuthOptions, useAuth, useRequireAuth, useSession };

package/dist/react/index.d.ts

@@ -0,0 +1,54 @@
+import * as react_jsx_runtime from 'react/jsx-runtime';
+import React from 'react';
+import { A as AuthConfig, a as AuthSession, L as LoginInput } from '../index-ChpgBFYz.js';
+
+interface AuthProviderProps<User = unknown> {
+    config: AuthConfig<User>;
+    children: React.ReactNode;
+}
+declare function AuthProvider<User = unknown>({ config, children, }: AuthProviderProps<User>): react_jsx_runtime.JSX.Element;
+
+interface UseAuthReturn<User = unknown> {
+    session: AuthSession<User>;
+    login: (input: LoginInput) => Promise<void>;
+    logout: () => Promise<void>;
+    refresh: () => Promise<void>;
+    isLoading: boolean;
+}
+/**
+ * Primary hook for authentication operations.
+ *
+ * @example
+ * const { session, login, logout, isLoading } = useAuth();
+ */
+declare function useAuth<User = unknown>(): UseAuthReturn<User>;
+
+/**
+ * Returns the current auth session without exposing login/logout actions.
+ *
+ * @example
+ * const { user, isAuthenticated } = useSession();
+ */
+declare function useSession<User = unknown>(): AuthSession<User>;
+
+interface UseRequireAuthOptions {
+    /** Path to redirect unauthenticated users to. @default "/login" */
+    redirectTo?: string;
+    /** Called when the user is not authenticated (use for custom redirect logic) */
+    onUnauthenticated?: () => void;
+}
+/**
+ * Redirects unauthenticated users to the login page.
+ * Works with both Next.js App Router and Pages Router.
+ *
+ * @example
+ * // App Router (client component)
+ * useRequireAuth({ redirectTo: "/login" });
+ *
+ * @example
+ * // Custom handler
+ * useRequireAuth({ onUnauthenticated: () => router.push("/login") });
+ */
+declare function useRequireAuth(options?: UseRequireAuthOptions): void;
+
+export { AuthProvider, type UseAuthReturn, type UseRequireAuthOptions, useAuth, useRequireAuth, useSession };