Server verification

Never trust a browser event alone. Treat the Sendity Client event as a signal and verify the signed result on your backend before creating an application session.

Why server verification matters

The browser can be modified. Your backend must validate the signed result, expiry and replay status before opening a session.

Endpoint example

POST /auth/sendity with the signedResult from the authenticated event.

Failure cases

Reject missing, expired, replayed, malformed or wrong-audience results.

Replay protection

Store and consume the verification id or token id once before creating a session.

app.post("/auth/sendity", async (req, res) => {
  const result = await sendity.verify(req.body.signedResult);
  if (!result.ok) return res.status(401).json({ error: "verification_failed" });
  await sessions.create({ userId: result.subject });
  res.json({ ok: true });
});