LeashLeash
Guide

User identity

Know who is calling your handler — id, email, name, picture. Use this when you want to scope data per-user, personalize a response, or log who did what.

This is not access control

Restricting who can reach your app happens at the gateway with no code — see Access control. This page is about identifying the user inside a request your code is already serving.

Server-side

Identity-in-code currently lives in the TypeScript SDK (other languages in progress). Construct a Leash client with the incoming request, then call leash.auth.user(). It's sync and null-returning — no try/catch needed.

app/api/me/route.ts
import { Leash } from '@leash/sdk/leash'


export async function GET(req: Request) {
  const leash = new Leash({ request: req })
  const user = leash.auth.user()    // LeashUser | null


  if (!user) {
    return Response.json({ error: 'unauthorized' }, { status: 401 })
  }
  return Response.json({ id: user.id, email: user.email, name: user.name })
}

The SDK reads the leash-auth cookie from the request, validates it, and returns the user. On apps deployed to Leash, the cookie is set by the platform — nothing extra to wire.

Local dev

The leash-auth cookie's scope is .leash.build, so it isn't sent to localhost. Mount Leash.createDevAuthHandler() at app/api/leash/dev-auth/route.ts, then click “Open in local dev” on your app's dashboard page to mint an 8-hour HttpOnly cookie on localhost. See Local dev for the canonical setup.

What changes in production

Same code, no special config. The deployed app runs at *.un.leash.build; the cookie is set by the gateway and sent automatically.

LocalDeployed
leash-auth cookieSet on localhost via the dev-auth handler.Auto-sent on every request to *.un.leash.build.
leash.auth.user()Returns the user that ran the one-click flow.Returns the user that made the request.

Related