Password namespace

Reference for password-protected board access grants.

Verify a board-wide password and retain the returned access grant according to your runtime.

This namespace protects an entire board. It is separate from board.auth, which authenticates an individual candidate or employer.

board.password.verify()

ts
verify(password: string, options?: FetchOptions): Promise<BoardAccessGrant>

Exchanges the board password for a grant. In browser storage modes, the SDK stores grant.token and adds it as X-Board-Access to later reads.

ts
import { isBoardPasswordRequired } from '@cavuno/board';
try {
const jobs = await board.jobs.list({ limit: 20 });
return { state: 'ready' as const, jobs };
} catch (error) {
if (isBoardPasswordRequired(error)) {
return { state: 'password_required' as const };
}
throw error;
}

After the visitor submits the password:

ts
const grant = await board.password.verify(password);
const jobs = await board.jobs.list({ limit: 20 });

The SDK never retries verification automatically because the endpoint is rate-limited. When the board password changes, old grants stop working and reads throw board_password_required; show the gate again.

Server-owned grants

A nostore client returns the grant but does not persist it. Store the token in the httpOnly board-access cookie and pass it on each gated read.

ts
import { serializeGrantCookie } from '@cavuno/board/server';
const grant = await board.password.verify(password);
const setCookie = serializeGrantCookie(grant.token);
const context = await board.context({
cache: 'no-store',
headers: { 'x-board-access': grant.token },
});

For a multi-board origin, use the same { board: identifier } scope with the grant-cookie parser, serializer, and clearer.

Errors

  • board_password_invalid—the submitted password is wrong.
  • board_password_required—a gated read has no current valid grant.
  • HTTP 429—the verification endpoint is rate-limited; do not retry immediately.

Do not log the password or grant token. See SSR sessions for the parallel board-user cookie pattern.