· Iren Saltali · architecture · 2 min read

Edge Auth Patterns for SPA Backends

A practical look at what a browser-facing API should validate and shape at the edge before requests reach origin code.

The short answer: SPA backends are cleaner when the edge tier normalizes auth, CORS, and a small set of identity headers before origin services receive the request.

When to read this

  • A browser SPA calls several services.
  • You need consistent bearer-token handling and CORS behavior.
  • You want to cut duplicate auth plumbing from backend services.

What matters in practice

  • Centralize browser-specific concerns at the edge.
  • Keep the forwarded identity contract small.
  • Choose one authorizer mode per route family to avoid debugging sprawl.

Concrete example

        {
        "authorizer": {
          "type": "auth0",
          "domain": "$env.AUTH0_DOMAIN",
          "client_id": "$env.AUTH0_CLIENT_ID",
          "client_secret": "$secret.AUTH0_CLIENT_SECRET",
          "redirect_uri": "https://serverlessapigateway.com/api/auth0/callback",
          "jwks_uri": "https://tenant.auth0.com/.well-known/jwks.json",
          "scope": "openid profile email"
        },
        "paths": [
          { "method": "GET", "path": "/api/auth0/callback", "integration": { "type": "auth0_callback" } },
          { "method": "GET", "path": "/api/auth0/profile", "auth": true, "integration": { "type": "auth0_userinfo" } },
          { "method": "GET", "path": "/api/auth0/refresh", "integration": { "type": "auth0_refresh" } }
        ]
      }

The example above is intentionally small because the best gateway configs stay readable. Add only the route, auth, and mapping behavior you actually need.

How this maps to the current gateway

The current codebase already supports the behavior discussed here through its config schema, route matcher, and integration handlers. That is why this project is a good fit for reader-first examples: the docs and blog can point to real, implemented behavior instead of hypothetical gateway features.

What this product does not do

  • A gateway does not remove the need for secure token storage in the client.
  • The repo does not ship a frontend session library or browser SDK abstraction.

FAQ

Should the SPA call Auth0 through the gateway?

That depends on your login flow, but the gateway can own callback, profile, and refresh routes.

Can the gateway handle public and private SPA routes together?

Yes. Route-level auth makes mixed public/private APIs straightforward.

  • why cors breaks spas and how to fix it at the gateway
  • auth0 login redirect route
  • public routes private routes and least privilege

Last reviewed: March 6, 2026

Share:
Back to Blog

Related Posts

View All Posts »