Skip to content

fix: separate server and client Pinata configs to prevent JWT exposure #75

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Anishpras wants to merge 3 commits into
base: main
Choose a base branch
from
Open

fix: separate server and client Pinata configs to prevent JWT exposure #75

Anishpras wants to merge 3 commits into from

Conversation

@Anishpras
Copy link

@Anishpras Anishpras commented Sep 26, 2025

Fix Next.js documentation to properly separate server and client configurations for Pinata SDK.

The current documentation incorrectly shows importing server-side config (containing JWT) into client components,
which causes "Attempted to access a server-side environment variable on the client" errors.

Changes:

  • Create separate server-config.ts (with JWT) and client-config.ts (without JWT)
  • Update client-side setup to use client-config that only includes the public gateway URL
  • Add warning about never exposing JWT with NEXT_PUBLIC prefix
  • Clarify that client authentication happens through signed URLs from API routes, not direct JWT usage

This prevents accidental exposure of sensitive API keys to the client and fixes the runtime error users encounter
when following the current documentation.

Anishpras and others added 3 commits September 26, 2025 20:38
@Anishpras
fix: separate server and client Pinata configs to prevent JWT exposure
eb06f44 
 Fix Next.js documentation to properly separate server and client configurations for Pinata SDK.

  The current documentation incorrectly shows importing server-side config (containing JWT) into client components,
  which causes "Attempted to access a server-side environment variable on the client" errors.

  Changes:
  - Create separate server-config.ts (with JWT) and client-config.ts (without JWT)
  - Update client-side setup to use client-config that only includes the public gateway URL
  - Add warning about never exposing JWT with NEXT_PUBLIC prefix
  - Clarify that client authentication happens through signed URLs from API routes, not direct JWT usage

  This prevents accidental exposure of sensitive API keys to the client and fixes the runtime error users encounter 
  when following the current documentation.
@Anishpras
Added more details
79149d2
@Anishpras
line break resolved
592a804
@Anishpras Anishpras marked this pull request as ready for review September 26, 2025 15:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Anishpras