Securing Your API: JWT, Rate Limiting & Best Practices in Next.js 🔒

Don't leave your API endpoints exposed. Implementation guide for secure authentication checks and preventing abuse.

zahid ansari

Building scalable systems by applying mental models to code and architecture.

General

Website

Resources

Install this app to stay connected and in the loop.

Building meaningful experiences one pixel at a time 😉.

Made with by Zahid

views

Securing Your API in Next.js 🔒

Exposing API routes in Next.js is easy. Securing them takes intention. Without safeguards, your API is vulnerable to abuse, scraping, and unauthorized data access.

The Problem I Faced

I noticed my public API was receiving thousands of requests from a single IP, causing my database costs to spike. I realized I had no protection against bots or spam.

Understanding the Layers of Defense

Authentication: Who is this user?
Authorization: Are they allowed to do this?
Rate Limiting: Are they doing this too much?

Code Example 1: Server-Side Authentication Check

Using a helper function to guard API routes.

// lib/auth.ts
import { auth } from "@clerk/nextjs";

export function requireAuth() {
  const { userId } = auth();
  if (!userId) {
    throw new Error("Unauthorized");
  }
  return userId;
}

Code Example 2: Implementing Rate Limiting (Upstash/Redis)

import { Ratelimit } from "@upstash/ratelimit";
import { Redis } from "@upstash/redis";
import { NextResponse } from "next/server";

const ratelimit = new Ratelimit({
  redis: Redis.fromEnv(),
  limiter: Ratelimit.slidingWindow(10, "10 s"), // 10 requests per 10s
});

export async function POST(req: Request) {
  const ip = req.headers.get("x-forwarded-for") ?? "127.0.0.1";
  
  const { success } = await ratelimit.limit(ip);
  
  if (!success) {
    return NextResponse.json({ error: "Too many requests" }, { status: 429 });
  }

  // Proceed with logic...
}

Common Pitfalls

Mistake 1: Trusting client-side logic for security.
- Don't: Hide a "Delete" button and assume the user won't call the API directly.
- Do: Check permissions inside the API route every single time.

Pro Tips

Service Accounts: If you have other services calling your API, use a secret API Key header strategy distinct from user sessions.
Sanitization: Always sanitize inputs (Zod does this well) to prevent injection attacks.

Wrapping Up

Security is layers. Rate limiting stops the bots, and strict auth checks stop the hackers.

Tech Stack: Next.js, Upstash Redis, Clerk