Caching

Separate public catalog caching from private and entitlement-sensitive responses.

Public jobs, companies, blog posts, and context can use framework caching. Authenticated me, checkout, applicant, and access responses must remain user-specific.

Classify the response first

ResponseShared cache?Reason
board.context()UsuallyPublic identity, theme, and feature configuration
Public jobs, companies, blog, salariesUsuallySame response for every anonymous visitor
Search resultsShort-lived or uncachedQuery-specific and more volatile
board.me.*NeverBelongs to the authenticated board user
Applications, conversations, employer ATSNeverPrivate user or company data
Billing, checkout, plans with entitlementsNeverViewer- and state-sensitive
Password-gated readsNever in a public cacheDepend on the X-Board-Access grant

The trailing SDK argument is a FetchOptions object. Standard fetch controls such as cache, signal, and headers pass through to the runtime.

ts
// Public catalog read
const jobs = await board.jobs.list(
{ limit: 20, sort: 'newest' },
{ cache: 'force-cache' },
);
// Private account read
const me = await board.me.retrieve(undefined, {
cache: 'no-store',
headers: { authorization: `Bearer ${accessToken}` },
});

Framework-specific extensions such as Next.js cache tags or Cloudflare cf options also pass through. Use only options supported by the runtime and its TypeScript declarations.

Choose invalidation around product behavior

Jobs should become visible within the delay promised by your publishing workflow. A short time-to-live may be enough for catalog pages; a webhook, route revalidation, or tagged invalidation is better when operators expect an immediate publish. Keep sitemap invalidation separate so rebuilding a large catalog does not block page delivery.

Do not cache a 404 longer than the delay between creating a record and publishing its route. Never turn an authorization failure into a shared cached response.

Verify isolation

  1. Request the same private route as two different users through the production CDN or reverse proxy.
  2. Confirm the second response cannot contain the first user’s identity, application, billing, or saved-job state.
  3. Inspect response headers for private, no-store, or an equivalent cache bypass.
  4. Publish a job and measure how long listing, detail, and sitemap surfaces take to converge.

Production notes

  • The SDK does not choose cache policy for you.
  • Any request carrying Authorization or X-Board-Access must bypass shared caches unless the cache key safely incorporates the credential—which is rarely desirable.
  • Abort superseded interactive searches with an AbortSignal; cancellation is also passed to the underlying fetch.

Continue with Security to review credential and redirect boundaries.