Relpin auth helpers resolve the current session through a server-side auth service and enforce permission checks before route handler logic runs.
Require a session
import { withAuth } from '@app-builder-platform/relpin-sdk/auth'
export const handler = withAuth(async ({ session }) => {
return Response.json({ userId: session.userId, orgId: session.orgId })
})Require a permission
export const updateOrder = withAuth(
async ({ requestContext }) => {
return Response.json({ env: requestContext.env })
},
)Pass a required permission through the handler options when the route is invoked. Missing sessions and denied permissions should fail closed.
Do not trust roles alone
Roles are useful presets. Product surfaces should enforce explicit permission keys for sensitive actions.