Cortado.

Platform

Documentation

Overview

Cortado Overview

Routing in Cortado

Working with Assets

Authentication in Cortado

Realtime API

Error Handling

API Reference

Overview

Get Asset

Upload Asset

Replace Asset File

Asset Thumbnail

Delete Asset

Get Route

Create Route

Delete Route

Integrations

Overview

FramerAuth

Lemon Squeezy

Adobe

Microsoft

Stripe

Slack

Changelog

Overview

Thursday, October 30

Friday, September 12

Friday, August 1

Monday, July 14

Academy

Video Lessons

Overview

Project Setup

Routing Essentials

Controllers & Logic

Middleware Deep Dive

Working with Data

Authentication Layer

File Uploads & Streams

WebSocket Support

API Testing & Debugging

Deploy & Monitor

Guides

Overview

Getting Started

Protected Routes

Webhook Handling

Asset Automation

Realtime Streams

Dynamic Content

Community

Slack

Discord

Notion

Oleksandr

oleksandr@ditych.com

Cortado.

Documentation

API Reference

Integrations

Changelog

Video Lessons

Guides

Slack

Discord

Notion

Oleksandr

oleksandr@ditych.com

Guides

Protected Routes

Guides

Protected Routes

Guides

Protected Routes

Protected Routes

In this guide, you’ll learn how to secure specific routes in your Cortado backend so that only authorized users can access them. Protecting routes is essential when handling sensitive data or gated content. We’ll walk through the concept of authentication tokens, explain how to validate requests, and show how to apply route-level restrictions. By the end, your application will be able to distinguish between public and private endpoints while ensuring unauthorized access is blocked.

Beginner

14 min

Mark as Completed

Mark as Completed

1

Step 1: Understand Auth Basics

Before protecting routes, you need to understand how authentication works in Cortado:

  • Most authenticated flows rely on bearer tokens passed via HTTP headers

  • A valid token confirms a user’s identity and grants them access to protected endpoints

  • The backend checks the token before processing the request

  • Tokens can come from third-party services like FramerAuth, Lemon Squeezy, or your own system

Once the token format and validation method are clear, you can begin enforcing access rules in your app.

2

Step 2: Define Access Control Strategy

Plan which parts of your backend should be protected:

  • Public Routes: Homepages, pricing, static content

  • Protected Routes: User dashboards, admin panels, asset management

  • Scoped Routes: Routes restricted by user role (e.g. admin, subscriber)

To enforce this:

  • Add a verification layer that checks for a valid token before proceeding

  • Reject unauthenticated requests with proper error messages

  • Optionally decode tokens to extract user roles or scopes

This strategy gives you flexibility and security in how you handle user permissions.

3

Step 3: Route Access Logic Overview

Each route type should be clearly labeled in your project. When a request comes in:

  • Check if a token exists

  • Verify it (e.g. using JWT or external service)

  • Determine access level (e.g. basic user or admin)

  • Grant or deny access accordingly

Securing Endpoints in Practice

Once you have your authentication logic and access strategy, apply it to real routes. For example, routes like /user/settings should only be accessible with a valid token. Middleware or route guards can intercept incoming requests and verify tokens before allowing access. If a token is invalid or missing, respond with an error and block further processing. For role-specific routes, extract the user role from the token and compare it against allowed values. This consistent approach ensures your backend behaves predictably, keeps data secure, and limits access to only authorized users.

Previous

Previous

Previous

Webhook Handling

Next

Webhook Handling

Next

Webhook Handling

Next

Was this helpful?

Dismiss

Was this helpful?

Dismiss

Last updated on

Jul 26, 2025