Next.js integration

Use TxnShield in route handlers or server actions without exposing secret keys to the client.

Where TxnShield belongs

Evaluate protected actions in route handlers, server actions, or backend services. Do not evaluate with a secret key in client components.

Install packages

Install the browser SDK only in client-safe code and the Node SDK only in server-side route handlers, server actions, or backend services.

bash

npm install @txnshield/sdk-node @txnshield/sdk-web
pnpm add @txnshield/sdk-node @txnshield/sdk-web
yarn add @txnshield/sdk-node @txnshield/sdk-web
bun add @txnshield/sdk-node @txnshield/sdk-web

Route handler example

import { NextResponse } from "next/server";
import { createTxnShieldNode } from "@txnshield/sdk-node";

const txnshield = createTxnShieldNode({
  secretKey: process.env.TXNSHIELD_SECRET_KEY!,
  apiBaseUrl: process.env.TXNSHIELD_API_BASE_URL!,
});

export async function POST(request: Request) {
  const user = await requireCurrentUser();
  const body = await request.json();
  const decision = await txnshield.evaluate({
    operationKey: "bank_account.update",
    actor: { id: user.id, roles: user.roles },
    resource: { type: "account", id: body.accountId },
    metadata: { changedFields: Object.keys(body.patch ?? {}) },
  });

  if (decision.decision === "step_up_required") {
    return NextResponse.json({ challenge: "step_up_required" }, { status: 409 });
  }

  if (decision.decision === "deny") {
    return NextResponse.json({ error: "Denied" }, { status: 403 });
  }

  return NextResponse.json(await updatePaymentDetails(body));
}

Testing

Use a development environment first. Trigger the route, inspect the event, then tune the policy before moving the same operation into staging or production.

Next steps

Keep going

Generic API integration Keys

Loading TxnShield...

Docs/Integration guides

Integration guides