TanStack Start

Authentication for TanStack Start

Add auth using the primitives TanStack Start already gives you — server functions and Web-standard loaders. The Authdog loader takes a Request and returns a Response, so it drops straight into your routes.

Start building Read the docs

Resolve the session

app/routes/index.tsx

// app/routes/index.tsx
import { createServerFn } from "@tanstack/react-start"
import { identityLoader } from "@authdog/tanstack-start"
 
export const loadIdentity = createServerFn({ method: "GET" }).handler(
  async () => (await identityLoader()({ request })).json()
)

Web fundamentals, not magic

Everything TanStack Start apps need

Auth that works with server functions, Web-standard loaders, and cookie sessions — the way the framework was designed.

Web-standard loaders

TanStack Start speaks the Web Fetch API, so the auth loader takes a standard Request and returns a standard Response — it slots straight into your server functions and route loaders.

Server functions

Resolve the session inside a createServerFn handler and hand a verified identity to your routes. Auth lives where your data loading does — on the server.

Cookie-based sessions

Sessions ride secure, HTTP-only cookies set on the server. The provider strips the ?token=… from the URL once the session is persisted — no client token juggling.

Secure by default

Tokens are validated against the trusted identity host and never exposed to browser code, so there's nothing for client scripts to read or leak.

Automatic token refresh

Sessions renew transparently inside the loader, so expired tokens refresh without an extra round trip you have to write yourself.

Typed SDK

A fully typed SDK gives you autocomplete for the user, claims, and roles returned from the identity loader to your routes.

Wrap your app once

Persist the session with the provider

Wrap your app with AuthdogProvider and it strips the ?token=… from the URL after the server persists the session — so the first server render already has a verified identity, with no client-side token handling.

app/router.tsx

// app/router.tsx
import { AuthdogProvider } from "@authdog/tanstack-start/client"
 
<AuthdogProvider>
  {children}
</AuthdogProvider>

Auth without the boilerplate

Authdog leans on TanStack Start's own server functions and Web-standard request model, so resolving a session is a single loader call.

1 server fn

To resolve the session

Wrap identityLoader() in a createServerFn handler and your routes get a verified identity — no middleware indirection.

100%

Web Fetch standard

The loader takes a standard Request and returns a standard Response, so it works with TanStack Start's server primitives unchanged.

Tokens exposed to the browser

Sessions stay in secure, HTTP-only cookies read only on the server — nothing for client code to read or leak.

Add auth to your TanStack Start app.

Install the SDK, wrap your app with the provider, and resolve the session in a server function today. Free to start, with secure defaults built in.

Start Building