Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 7 additions & 2 deletions docs/plugins/csrf.md
Original file line number Diff line number Diff line change
Expand Up @@ -71,11 +71,16 @@ export class MessageCreate implements Action {

Call `GET /api/csrf-token` once on app bootstrap (or whenever you suspect the session has rotated). The token must be sent as a body field (or query string parameter) on state-changing requests — there is no header support.

Cast the response through `ActionResponse<CsrfTokenAction>` so the `token` field is typed at the call site (see [Typed Clients](/guide/typed-clients) for the full pattern):

```ts
import type { ActionResponse } from "keryx";
import type { CsrfTokenAction } from "@keryxjs/csrf";

async function getCsrfToken(): Promise<string> {
const res = await fetch("/api/csrf-token", { credentials: "include" });
const { token } = await res.json();
return token;
const body = (await res.json()) as ActionResponse<CsrfTokenAction>;
return body.token;
}

const csrfToken = await getCsrfToken();
Expand Down
Loading