router-core/auth-and-guards
Auth and Guards
This skill covers the routing side of auth. Route guards are UX and navigation control; the data/API boundary still belongs in the server function, server route, or API endpoint that reads or mutates private data. For the server-side primitives — session cookies (
HttpOnly/Secure/SameSite),useSession-style helpers, OAuthstate+ PKCE, password-reset enumeration defense, CSRF, rate limiting — see start-core/auth-server-primitives.CRITICAL: A route guard (
beforeLoad) does NOT protect acreateServerFndeclared on that route. Server functions are API endpoints reachable independently of the route that calls them. See "Route guards do not protect server functions" below.
Setup
Protect routes with beforeLoad + redirect() in a pathless layout route (_authenticated):
// src/routes/_authenticated.tsx
import { createFileRoute, redirect } from '@tanstack/react-router'