Refresh session in nextjs app router sdk for client UI
Hi Kinde team,
I'm implementing RBAC in my Next.js application and have a question about keeping permissions in sync. When I delete a permission from my admin panel:
1. How do
refreshToken(), refreshData(), and refreshUserClaims() differ functionally?
2. Is there an automated way to update affected users' permissions both server and client-side?
3. I've noticed access tokens don't update automatically when permissions change - what's the recommended approach for this scenario?
Currently, users retain outdated permissions until their token expires or they re-login. I'd appreciate guidance on implementing real-time permission updates following a permission deletion.
Thanks!4 Replies
Hi,
Thanks for reaching out — great question.
You're absolutely right that access tokens don’t update automatically when permissions change, and users may retain outdated claims until their token expires or re-authenticate.
To handle real-time permission syncing, here’s our recommended approach:
---
Use Webhooks for Real-Time Updates
Kinde supports webhook events such as
Webhook documentation 1. Set up a webhook endpoint in your Next.js app to receive these events. The payload is a signed JWT — here’s a Next.js example for verifying and handling it. 2. When you receive a
POST /users/{user_id}/refresh_claims --- Update Client Session with
refreshData() documentation --- Additional Tips - Set shorter access token lifetimes to trigger more frequent token refreshes. - For critical permission checks, you can poll the Management API or enforce permission logic on the backend. --- Let us know if you'd like help setting up the webhook or implementing claim refreshes — happy to assist.
permission.created, permission.updated, and permission.deletedWebhook documentation 1. Set up a webhook endpoint in your Next.js app to receive these events. The payload is a signed JWT — here’s a Next.js example for verifying and handling it. 2. When you receive a
permission.deleted event, you can call the Refresh User Claims API to invalidate cached claims:POST /users/{user_id}/refresh_claims --- Update Client Session with
refreshData()
In your client components, use refreshData() from the Kinde Next.js SDK to update the user session without requiring a full logout.refreshData() documentation --- Additional Tips - Set shorter access token lifetimes to trigger more frequent token refreshes. - For critical permission checks, you can poll the Management API or enforce permission logic on the backend. --- Let us know if you'd like help setting up the webhook or implementing claim refreshes — happy to assist.
Kinde docs
Add and manage webhooks
Our developer tools provide everything you need to get started with Kinde.
Kinde docs
Next.js App Router SDK
Our developer tools provide everything you need to get started with Kinde.
Kinde docs
Kinde Management API
The management API is for managing your Kinde account. Most things that can be done via the Kinde admin UI can be done with this API
Kinde docs
Set up webhooks using Next.js
Our developer tools provide everything you need to get started with Kinde.
Thanks, I just created a button to manually refresh the session if needed
Hi,
You're very welcome — glad to hear you’ve implemented a manual refresh option!
If there's anything else you need help with — whether it's setting up webhooks, automating the refresh flow further, or anything else Kinde-related — feel free to reach out.
Also, if you have any feedback or suggestions for how we can make this experience smoother, we'd love to hear it.