║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║

---

title: Locals description: Learn how to authenticate your Astro application with Clerk using locals. sdk: astro

Through Astro locals, Clerk's Auth and current User{{ target: '_blank' }} objects can be accessed between middlewares and pages. These locals are injected when you configure the provided middleware.

locals.auth()

Astro.locals.auth() returns an Auth object. This JavaScript object contains important information like session data, your user's ID, as well as the ID of the active organization. Learn more about the Auth object here{{ target: '_blank' }}.

locals.auth() options

<Properties> - `opts?` - `{acceptsToken: TokenType, treatPendingAsSignedOut: boolean }`

An optional object that can be used to configure the behavior of the locals.auth() function. It accepts the following properties:

<Include src="_partials/machine-auth/accepts-token-explanation" />

• treatPendingAsSignedOut?: A boolean that indicates whether to treat pending session status as signed out. Defaults to true. </Properties>

Example: Protect a page or form

You can use the isAuthenticated property from the auth() local to protect your pages and forms.

<CodeBlockTabs options={["Protect a page", "Protect a form"]}>

---
const { isAuthenticated, userId, redirectToSignIn } = Astro.locals.auth()

if (!isAuthenticated) {
  return redirectToSignIn()
}
---

<div>Protected page</div>

---
if (Astro.request.method === 'POST') {
  if (!Astro.locals.auth().isAuthenticated) {
    throw new Error('You must be signed in to add an item to your cart')
  }

  const data = await Astro.request.formData()
  console.log('add item action', data)
}
---

<form method="POST">
  <input value="test" type="text" name="name" />
  <button type="submit">Add to Cart</button>
</form>

</CodeBlockTabs>

Example: Protect a route based on token type

The following example uses locals.auth() to protect the route based on token type:

• It accepts any token type (acceptsToken: 'any') from the request.
• If the token is a session_token, it logs that the request is from a user session.
• Otherwise, it logs that the request uses a machine token and specifies its type.

export const GET: APIRoute = ({ locals }) => {
  // Use `locals.auth()` to protect a route based on token type
  const authObject = locals.auth({ acceptsToken: 'any' })

  if (authObject.tokenType === 'session_token') {
    console.log('This is a session token from a user')
  } else {
    console.log(`This is a ${authObject.tokenType} token`)
  }

  return new Response(JSON.stringify({}))
}

locals.currentUser()

Current user data is important for data enrichment. The currentUser() local fetch the current user's Backend User{{ target: '_blank' }} object, which includes all of the user's information and provides a set of methods to manage their account.

Under the hood, this local:

• uses the GET /v1/users/me endpoint.
• counts towards the Backend API Request Rate Limit.

For more information on currentUser(), see the reference{{ target: '_blank' }}.

---
if (Astro.request.method === 'POST') {
  const user = await Astro.locals.currentUser()

  if (!user) {
    throw new Error('You must be signed in to use this feature')
  }

  const data = await Astro.request.formData()
  const serverData = {
    usersHobby: data.get('hobby'),
    userId: user.id,
    profileImage: user.imageUrl,
  }

  console.log('add item action completed with user details ', serverData)
}
---

<form method="POST">
  <input value="soccer" type="text" name="hobby" />
  <button type="submit">Submit your hobby</button>
</form>

║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║