Structure
- Server (
lib/ablo.ts) holds the secretapiKey(sk_). Used by RSCs, Server Actions, and route handlers. Never imported into a client component. - Browser (
app/providers.tsx) holds no secret. It fetches a short-lived per-user token (ek_) from a backend route viaauthEndpoint.
session_expired.
Server Client
Session Route
The browser can’t holdsk_, so a backend route mints a scoped, short-lived
ek_ for the signed-in user. Guard it with your own auth.
Provider
The browser client pointsauthEndpoint at that route and is handed to
<AbloProvider> as an instance (Stripe <Elements stripe={...}> model). Build
it once at module scope so the socket isn’t torn down on every render.
RSC Initial Render
Server Action Commit
Live Client
More
- Next.js landing — the product overview.
- React reference — every option on
useAblo. - API reference — every option on the write path.