Unable to retrieve access token for client side call to non-next.js backend

[SarmanAulakh]

Checklist

• The issue can be reproduced in the nextjs-auth0 sample app (or N/A).
• I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
• I have looked into the API documentation and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Description

Using Page Router in Next.js 14, I've implement auth for login/signup. I'm also able to get the access token on the server side/middleware of next.js.

I'm trying to get the access token and make a request to my Go backend without using a Next.js api endpoint as a proxy (which works, but is a lot of boilerplate to make an additional next.js endpoint just to then call my go endpoint).

https://github.com/auth0/nextjs-auth0/blob/main/EXAMPLES.md#getting-an-access-token

I've tried using import { getAccessToken } from "@auth0/nextjs-auth0" as shown in the docs, but I believe its for App Router only. When using it on page router, i get 'cookies was called outside a request scope'

Reproduction

1. Setup next.js 14 page router
2. setup auth/login using nextjs-auth
3. try to make a call to an external api (ex. Golang backend) without using next.js api router as a proxy, for example in a useEffect or using useSWR

Additional context

No response

nextjs-auth0 version

^3.5.0

Next.js version

^14.2.5 Page Router

Node.js version

18.17.0

[tusharpandey13]

Hi 👋
There's a section in the EXAMPLES.md that shows how to use getAccessToken() in the pages-router.

const token = await auth0.getAccessToken(req, res)

Also, the nextjs-auth0 version mentioned in this issue is ^3.5.0 but you have referenced our latest docs, which are for v4.x.x.

[SarmanAulakh]

Hey so my question was more so to see if there was a way to get the access token on the client side for page router so that I can directly call my Go Backend. const token = await auth0.getAccessToken(req, res) works fine , but then i have to first call my node.js/next.js backend, and have that make the call to my go backend.

Was wondering if there was a secure way to call a non-next.js backend with the token. or if next.js should proxy all calls to other backends

[tusharpandey13]

Yeah @SarmanAulakh, we have an api endpoint just for this task, it's called /auth/access-token
Please refer https://github.com/auth0/nextjs-auth0/blob/main/README.md#routes
We have a config option to optionally disable this for obvious security reasons but in your case you can use this out of the box, if it's explicitly needed.

Just to be clear here, what you're doing right now is probably better from a security point of view since exposing this api endpoint means that client side JS can also call it and leak the AT. This is the very reason why a flag was added to client configuration. It's a few extra steps but end of day we would recommend your current approach over this api endpoint.