Docs / Frameworks / SvelteKit

SvelteKit

SvelteKit's $env/static/private is statically guaranteed to never reach the browser bundle — perfect for the service key.

// src/lib/flarelink.ts — usable everywhere (auth-only)
import { createFlarelink } from "@flarelink/client"
import { PUBLIC_FLARELINK_AUTH_URL } from "$env/static/public"

export const flarelink = createFlarelink({ url: PUBLIC_FLARELINK_AUTH_URL })

// src/lib/flarelink.server.ts — server-only (.server.ts enforced by SvelteKit)
import { createFlarelink } from "@flarelink/client"
import { PUBLIC_FLARELINK_AUTH_URL } from "$env/static/public"
import { FLARELINK_SERVICE_KEY } from "$env/static/private"

export function flarelinkFor(event: { request: Request }) {
  return createFlarelink({
    url: PUBLIC_FLARELINK_AUTH_URL,
    serviceKey: FLARELINK_SERVICE_KEY,
    cookies: () => event.request.headers.get("cookie") ?? "",
  })
}

Protect a route

Resolve the user in a +page.server.ts (or +layout.server.ts to guard a whole subtree) load and throw a redirect when there's no session.

// src/routes/dashboard/+page.server.ts
import { redirect } from "@sveltejs/kit"
import { flarelinkFor } from "$lib/flarelink.server"

export const load = async (event) => {
  const flarelink = flarelinkFor(event)
  const me = await flarelink.auth.getMe()
  if (!me) throw redirect(303, "/login")

  const { rows: posts } = await flarelink
    .from("posts")
    .where({ author_id: me.id })
  return { posts, me }
}

Always scope queries to me.id server-side. For a whole section, do the same check in +layout.server.ts — child routes inherit the guarded layout data.

# .env
PUBLIC_FLARELINK_AUTH_URL=https://myapp-auth.your-subdomain.workers.dev
FLARELINK_SERVICE_KEY=flarelink_sk_…

Something unclear or missing? [email protected] llms-full.txt ↗