Build A BFF/Proxy

Doc type: How-to guide

Goal and scope

Create a small server-side layer that reads HttpOnly cookies and forwards the access token to downstream APIs.

Prerequisites and constraints

• The BFF runs on the same origin as the browser app.
• The BFF does not expose refresh tokens to the client.

Steps

1. Read the access token from the shared cookie.

2. Forward it in the Authorization header.

3. Return 401 if the session is missing or expired.

export async function GET(request: Request) {
  const accessToken = request.cookies.get('yoyo_auth_access_token')?.value;
  if (!accessToken) {
    return new Response(null, { status: 401 });
  }

  const response = await fetch('https://api.yoyogroup.com/resource', {
    headers: { Authorization: `Bearer ${accessToken}` }
  });

  return new Response(await response.text(), {
    status: response.status,
    headers: { 'Content-Type': response.headers.get('Content-Type') || 'application/json' }
  });
}

Validation

• When the session exists, downstream API calls succeed.
• When the session is missing, the BFF returns 401 and the client redirects to hosted auth.

Related tasks

• SPA quickstart
• Work with shared cookies