~2 min read

Server helper

@tnuser/qyzar-server calls Qyzar’s HTTP API from Node. Keep the project secret here — never in the browser.

Setup

import { QyzarServer } from "@tnuser/qyzar-server";

export const qyzar = new QyzarServer({
  apiBaseUrl: process.env.QYZAR_API_URL!,
  resolveProjectSecret: async (projectId) => {
    // return secret for this project from env or DB
    return process.env.QYZAR_PROJECT_SECRET!;
  },
});

QyzarServer methods

Name	Use for	Don't use for
createClientToken	Mint a JWT for the browser SDK (optional metadata + optional session binding).	Sending to the browser from client-side code.
verifyClientToken	Check a client JWT and read public metadata (no risk scores).	Authorizing your own API — use verifySessionFromCookies.
verifySessionFromCookies	Every protected API route: pass the incoming Cookie header.	Browser bundles.
verifySession	When you already have sessionId + sessionToken (not only cookies).	Skipping Qyzar when cookies are present.
getExtraMetadata / patchExtraMetadata	Read or update device fields (email, phone, custom keys) for a session.	Replacing your user database.
checkRateLimit	Enforce dashboard website rate limits (IP bucket, optional metadata, per-call override).	Platform HTTP abuse limits — those are separate.
logUserApiRequest	Send your app’s API traffic into Qyzar request logs (dashboard).	Required for basic verification.
logAttemptedLogin	Anti–account-takeover: score a login attempt for a session.	Simple sites with no login risk modeling.
addAtoTrustedIdentifier	Mark a login identifier as trusted on the device after a good login.	First-time anonymous visitors.
generateClientToken	Deprecated alias of createClientToken.	New code — use createClientToken.

Standalone exports (advanced)

The package also exports crypto/metadata helpers. Most teams only use QyzarServer.

Name	Use for	Don't use for
createClientToken (crypto module)	Mint tokens entirely offline when you implement the same crypto as the API.	Most apps — use QyzarServer.createClientToken (HTTP).
verifyClientToken (crypto module)	Offline JWT checks with your project secret.	Session trust on your API.
normalizeClientTokenMetadata	Validate metadata shape before minting.	Runtime verification flow.

Examples

Full walkthroughs: Client tokens, Verify sessions, Rate limiting.

What not to do

Do not import this package in client components or NEXT_PUBLIC code paths.
Do not treat verifyClientToken as “user is logged in” for your product.
Do not skip verifySessionFromCookies on routes that move money or change accounts.