Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.edgespark.dev/llms.txt

Use this file to discover all available pages before exploring further.

EdgeSpark enforces authentication through URL path conventions. There is no auth middleware for you to register. The route prefix determines the behavior.

The three path conventions

Path patternAuthentication behavior
/api/*Login required. Requests without a valid session are rejected with 401.
/api/public/*Login optional. auth.user is populated if the user is logged in, otherwise null.
/api/webhooks/*No session-based auth. Verify incoming requests yourself.

Protected routes

server/src/index.ts
import { db } from "edgespark";
import { auth } from "edgespark/http";
import { Hono } from "hono";
import { posts } from "@defs";

const app = new Hono()
  .get("/api/profile", (c) => {
    return c.json({ email: auth.user.email, id: auth.user.id });
  })
  .post("/api/posts", async (c) => {
    const body = await c.req.json<{ title: string }>();

    await db.insert(posts).values({
      title: body.title,
      authorId: auth.user.id,
    });

    return c.json({ created: true }, 201);
  });

export default app;

Public routes

server/src/index.ts
import { db } from "edgespark";
import { auth } from "edgespark/http";
import { Hono } from "hono";
import { posts } from "@defs";

const app = new Hono().get("/api/public/posts", async (c) => {
  const rows = await db.select().from(posts);

  if (auth.user) {
    return c.json({ posts: rows, currentUserId: auth.user.id });
  }

  return c.json({ posts: rows });
});

export default app;

Webhook routes

server/src/index.ts
import { secret } from "edgespark";
import { Hono } from "hono";

const app = new Hono().post("/api/webhooks/stripe", async (c) => {
  const rawBody = await c.req.text();
  const signingSecret = secret.get("STRIPE_WEBHOOK_SECRET") ?? "";

  return c.json({
    received: true,
    hasSigningSecret: Boolean(signingSecret),
    size: rawBody.length,
  });
});

export default app;
Webhook routes have no platform-level session authentication. Always verify signatures or shared secrets from the sender. See Authenticate users for a full verification example.

See also

Authenticate users

How to read the current user and verify incoming webhooks.

auth reference

The runtime auth API and when auth.user is available.
Last modified on April 7, 2026