Sign in

Protect Server Actions

This guide shows how to protect Server Actions in a Next.js App Router application using protect().

protect() ensures a Server Action only executes for authenticated users and can optionally enforce group-based authorization.

What you'll cover

  • Require authentication inside a Server Action with protect()
  • Customize where users return after signing in
  • Restrict Server Actions to users in specific groups

Before you begin

This guide assumes you’ve completed the Next.js App Router quickstart.

You should already have:

  • A Next.js App Router project
  • Environment variables configured in .env.local
  • Authentication middleware registered
  • Any unprotected routes explicitly configured (matched routes are protected by default)

Protect a Server Action

Create a Server Action and call protect() before running any sensitive logic.

src/app/actions.ts
"use server";

import { protect } from "@monocloud/auth-nextjs";

export async function submitName(formData: FormData) {
  await protect();

  const name = String(formData.get("name") ?? "");
  return { ok: true, name };
}

How it works:

  • If the request is authenticated, the action continues.
  • If the request is unauthenticated:
    • The action does not execute
    • The user is redirected into the MonoCloud sign-in flow

protect() is server-only and can safely be used inside any Server Action, regardless of whether it was triggered from a Server or Client Component.

Customize the return URL

By default, users are returned to the page that triggered the Server Action.

To redirect users to a specific route after signing in, pass a returnUrl option.

src/app/actions.tsx
"use server";

import { protect } from "@monocloud/auth-nextjs";

export async function submitName(formData: FormData) {
  await protect({ returnUrl: "/server-actions" });

  const name = String(formData.get("name") ?? "");
  return { ok: true, name };
}

After authentication, users are redirected to http://localhost:3000/server-actions

Restrict access by group

You can restrict a Server Action to users belonging to specific groups.

Enable group claims

  1. In the MonoCloud Dashboard, add groups to the application scopes
  2. Update your .env.local:
.env.local
MONOCLOUD_AUTH_SCOPES=openid profile email groups
After updating scopes, users must sign out and sign back in for the new claims to be included in their session.

Require a group

src/app/actions.ts
"use server";

import { protect } from "@monocloud/auth-nextjs";

export async function submitAdminAction(formData: FormData) {
  await protect({ groups: ["admin"] });

  const value = String(formData.get("value") ?? "");
  return { ok: true, value };
}

With this configuration:

  • Unauthenticated users are redirected to sign in
  • Authenticated users without the required group are denied access
  • Only users in the admin group can execute the action

Next steps

Protect other parts of your application:

© 2024 MonoCloud. All rights reserved.