Backend validation

The SDK does not create user sessions. Your backend must validate the session_token with TryMellon and then create your own session (e.g. set a cookie or return a JWT).

Validate the token

Call the TryMellon API with the token your frontend received from register() or authenticate():

GET https://api.trymellonauth.com/v1/sessions/validate
Authorization: Bearer {session_token}

Or with a different base URL if you configured one:

GET {apiBaseUrl}/v1/sessions/validate
Authorization: Bearer {session_token}

Response

Success (200):

{
  "valid": true,
  "user_id": "usr_xxx",
  "external_user_id": "user_123",
  "tenant_id": "tenant_xxx",
  "app_id": "app_xxx"
}

Use external_user_id to identify the user in your system. Then create your own session (e.g. set an httpOnly cookie or issue a JWT) and redirect or return the appropriate response.

Invalid or expired (401):

Do not create a session; return an error to the client.

Example (Node/Express-style)

// POST /api/login
const sessionToken = req.body.session_token
if (!sessionToken) {
  return res.status(400).json({ error: 'session_token required' })
}

const response = await fetch('https://api.trymellonauth.com/v1/sessions/validate', {
  method: 'GET',
  headers: { Authorization: `Bearer ${sessionToken}` },
})

if (!response.ok) {
  return res.status(401).json({ error: 'Invalid session' })
}

const data = await response.json()
// data.valid, data.external_user_id, data.tenant_id, data.app_id

// Create your own session (e.g. set cookie, store in DB)
// Then redirect or return success

After validation, the session token is consumed by your backend; the frontend should not store it. Use your own session cookie or token for subsequent requests.