Browser Auth Pattern - Fluxomail Documentation

This pattern lets you use the SDK in the browser without exposing server API keys. Server (Next.js route handler)

// app/api/fluxomail/token/route.ts
export const runtime = 'nodejs'
export async function POST(request: Request) {
  // Validate the user/org from your session
  // Mint a short-lived token scoped to the org/user
  const token = await mintFluxomailToken({ orgId: 'org_123', ttlSeconds: 300 })
  return Response.json({ token })
}

Client (browser)

import { Fluxomail } from '@fluxomail/sdk'

const { token } = await (await fetch('/api/fluxomail/token', { method: 'POST' })).json()
const fm = new Fluxomail({ token, getToken: async () => {
  // Auto-refresh for REST requests after 401
  const r = await fetch('/api/fluxomail/token', { method: 'POST' })
  return (await r.json()).token
}})

// Stream events (token sent as query param by the SDK)
const sub = fm.events.subscribe({ types: ['email.*'], checkpoint: {
  get: () => localStorage.getItem('fluxo:lastEventId') || undefined,
  set: (id) => localStorage.setItem('fluxo:lastEventId', id)
} }, (evt) => {
  console.log(evt)
})

Notes

Never expose long-lived API keys in the browser.
Keep tokens short-lived and scoped; rotate if compromised.
For Node/CLI, prefer server API keys.

API keys & scopes Connect HubSpot (OAuth + Webhooks)