Use an Authenticated Experience
Server-minted sessions for private applications.
Overview
Your server mints a Session Manifest. Your client embeds via sessionEndpoint.
Steps
- Store
LIFORMA_API_KEYin server environment variables - Create a same-origin API route that calls
POST /v1/sessions - Pass
sessionEndpointto<LiformaExperience> - SDK POSTs to your route, receives manifest, starts session
Client
<LiformaExperience
experienceId="exp_01DEMO1SPANISHCAFE"
sessionEndpoint="/api/liforma-session"
/>Server
// app/api/liforma-session/+server.ts
import { json } from '@sveltejs/kit';
export async function POST({ request }) {
const { experienceId, userId } = await request.json();
const res = await fetch('https://api.liforma.ai/v1/sessions', {
method: 'POST',
headers: {
Authorization: `Bearer ${process.env.LIFORMA_API_KEY}`,
'Content-Type': 'application/json'
},
body: JSON.stringify({ experienceId, userId })
});
if (!res.ok) {
return json({ message: 'Failed to mint session' }, { status: res.status });
}
return json(await res.json());
}Security
- Never expose your API key to the browser
- Never pass manifests with
sessionTokenthrough SSR load data - Validate
userIdserver-side before minting