Documentation Index
Fetch the complete documentation index at: https://mintlify.com/nuxt-alt/auth/llms.txt
Use this file to discover all available pages before exploring further.
@nuxt-alt/auth is designed to work correctly with Nuxt 3’s SSR mode out of the box. When a request arrives at the server, the module reads auth tokens from the incoming cookie header, initializes the Auth instance with those tokens, and runs the active strategy’s mounted() hook — which fetches the user if a valid token is present. The result is a fully hydrated page with user data on the very first response, with no client-side flash of unauthenticated content.
How SSR Works
Understanding the full rendering cycle helps when debugging SSR auth issues:Token extraction
On the server, the
Storage class calls getUniversal() which checks local state first (prepended to the source order when process.server is true), then falls through to the cookie header parsed from the incoming HTTP request. No localStorage or sessionStorage is accessed because those APIs do not exist in a Node.js environment. In practice, since state starts empty at the beginning of each request, cookies are the effective token source on the server.Auth initialization
The
Auth instance is constructed with the extracted tokens and the configured module options. auth.$state.loggedIn and auth.user are populated from the stored values.Strategy mounted hook
auth.mounted() is called, which delegates to the active strategy’s mounted() method. For the local and refresh strategies this typically calls fetchUser() if a valid token is present, populating auth.user with fresh data from your API.Page render
The page renders on the server with full access to
auth.loggedIn, auth.user, and all other reactive state. Middleware runs in this context too, so protected pages redirect on the server before any HTML is sent.Token Storage for SSR
Cookies are the only storage mechanism that works on both the server and the client. The module enables cookie storage by default and disableslocalStorage and sessionStorage for exactly this reason.
nuxt.config.ts
The Nitro Reset Endpoint
When Nuxt SSR mode is active (i.e.ssr is not disabled in nuxt.config.ts), @nuxt-alt/auth automatically registers a Nitro server handler at POST /_auth/reset. This endpoint clears the auth cookie from the server side, ensuring that a logout operation correctly removes the session cookie even when the HTTP-only flag prevents client-side JavaScript from doing so.
The handler is registered during module setup:
logout() flow invokes it as part of the cleanup process when running under SSR.
Using @nuxt-alt/proxy for SSR
A common SSR challenge occurs when your Nuxt application and your API server are on different origins. Cookies set by the API server will not be sent with requests from the Nuxt server because they are on a different hostname. The recommended solution is to use@nuxt-alt/proxy to proxy API requests through the Nuxt server, making all requests same-origin.
nuxt.config.ts
/api/* requests to your backend, so session cookies and auth headers flow through a single origin on both the server and the client.
Per-Scheme SSR Option
Every scheme accepts anssr: true option that forces the scheme’s baseURL to an empty string for all requests. When baseURL is '', @nuxt-alt/auth uses requrl() to reconstruct the absolute URL from the incoming SSR request, making the API call relative to the Nuxt server host. This is useful when you want SSR requests to go through the local Nuxt/proxy layer without hardcoding an internal URL.
nuxt.config.ts
Laravel Sanctum SSR
ThelaravelSanctum provider includes special SSR handling. When ssr: true is set on the strategy, the provider enables addLocalAuthorize, which attaches the auth token to server-side requests that would otherwise be blocked by same-site cookie restrictions.
nuxt.config.ts