Buildspace
Authentication

Sessions

Validate, forward, and revoke Buildspace sessions.

Sessions are managed by Better Auth and stored server-side in PostgreSQL. Tokens are stored directly (not hashed) and expire after 30 days by default.

Session flow

  1. Exchange callback code for access_token on your server.
  2. Store session token in a secure HTTP-only cookie.
  3. Validate each request with bs.auth.getSession(token).
  4. Sign out via bs.auth.signOut(token) and clear your app's local cookie.

The session cookie is named bs_session and is configured with:

  • httpOnly: true — not accessible via JavaScript
  • secure: true — HTTPS only in production
  • sameSite: "lax" — protects against CSRF
  • Cross-subdomain support for *.buildspace.studio

Forwarding sessions

You can forward a session token to other service calls:

bs.setSession(token);
await bs.storage.getSignedUrl("exports/report.pdf");
await bs.auth.signOut();

Further reading

Client SDK

Browser-side auth URL generation methods.

Overview

Track product activity with Buildspace Events.

On this page

Session flowSession cookieForwarding sessionsFurther reading