TryMellon

Session validation (client-side)

Session validation (client-side)

The TreyMellon SDK provides client-side helpers to validate the current session and check WebAuthn support before starting a flow.

validateSession()

Use validateSession() to check whether the user has a valid session from your backend’s perspective. This is useful to avoid showing a login form when the user is already signed in.

const result = await client.validateSession();
if (result.isOk() && result.value.valid) {
  // User has a valid session; redirect to app or show dashboard
}

The SDK calls your backend (or the TryMellon API) to validate the session token. If you use the standard cookie flow, the session token is in an httpOnly cookie and the SDK will use it when configured to talk to your backend.

getStatus()

Use getStatus() to detect WebAuthn support in the current browser and environment. This helps you decide whether to show passkey sign-in or fall back to email OTP.

const status = await client.getStatus();
if (status.webauthnAvailable) {
  // Show "Sign in with Passkey"
} else {
  // Show "Sign in with email" or fallback flow
}

When to use client-side vs backend validation

  • Client-side (validateSession, getStatus): Use for UX decisions (show login form or not, show passkey or email). Do not trust these alone for access control.
  • Backend validation: Every protected route and API call must validate the session token on the server. See Backend validation.