How to to authorize API requests in fullstack apps

jessereilly1 · May 28, 2025, 3:33pm

I’m building an app hosted on Monday Code. The app is built using Sveltekit, and to test things out I’m building a simple item view that reads existing data for an item, and calls an external API with that data.

I’m having trouble authorizing requests to the Monday API using monday-sdk-js in my development environment. I have a local development server running, and am tunnelling requests using Monday Apps SDK’s mapps tunnel:create

As I’m building an item view, my understanding is I need to get the user’s sessionToken, and decode it with my clientSecret. I’m able to decode the session token using jwt.verify(), but I’m not sure what to do with this information. I can’t use the decoded client_id to authorize API requests, and I can’t see any other data in the decoded JWT that would be useful here.

Reading the docs, it looks like the monday JS SDK automatically handles authorization in purely client-side apps. But, as my requests are handled serverside, I’m not sure how to authenticate them.

Sample code from my server endpoint:

// src/routes/my-endpoint/+page.server.ts
import mondaySdk from 'monday-sdk-js';
import { EnvironmentVariablesManager } from "@mondaycom/apps-sdk";
import { env } from '$env/dynamic/private'
import { error } from '@sveltejs/kit'
import jwt from "jsonwebtoken";
import type { PageServerLoad } from './$types'

const envManager = new EnvironmentVariablesManager();
const monday = mondaySdk()

const signingSecret = envManager.get('PRIVATE_MONDAY_SIGNING_SECRET') as string | null ?? env?.PRIVATE_MONDAY_SIGNING_SECRET;
const clientSecret = envManager.get('PRIVATE_MONDAY_CLIENT_SECRET') as string | null ?? env?.PRIVATE_MONDAY_CLIENT_SECRET;

export const load: PageServerLoad = async ({ request, url, cookies, locals, params,  }) => {

    const sessionToken: string | null = url.searchParams.get('sessionToken')


    if (!sessionToken || !clientSecret) {
        console.log({sessionToken, clientSecret, message: 'no client secret or request token'})
        error(401, 'No client secret or request token')
    }

    const jwtBody = jwt.verify(sessionToken, clientSecret)

    const clientId = jwtBody?.dat?.client_id

    const users = await monday.api(`query { users { id, name } }`, {
        token: clientId
    })
    console.log(users)

// Log result:
// { errors: [ { message: 'Not authenticated', extensions: [Object] } ] }


}

Topic		Replies	Views
Front end app - TOKEN problem at backend Platform discussions boards , api	1	1015	September 22, 2023
Token error - from item view to backend monday apps & integrations integrations , api	2	522	April 8, 2024
Requests from react app to integrations app monday dev integrations , automations , boards , board-views , api , question	1	12	April 14, 2025
Creating an internalised Monday App monday dev api , api-files , 500 , internal_servererror , question , app	0	11	January 13, 2025
What is session token? I can't get the session token using monday.get("sessiontoken") method in monday-sdk Platform discussions api	1	1739	February 14, 2023

How to to authorize API requests in fullstack apps

Become part of our community groups

Can't find what you're looking for?

Can't find
what you need?

How to to authorize API requests in fullstack apps

Related topics

Become part of our community groups

Can't find what you're looking for?

Can't findwhat you need?

Can't find
what you need?