Session Tokens

In the TypeScript SDK, session tokens are the short-lived credentials that CSVImporter uses to open and keep the importer authenticated in the browser without exposing your long-lived secret key.

Implement getSessionToken() so it returns a fresh token from your backend:

const importer = new CSVImporter({
  schema,
  getSessionToken: async () => {
    const response = await fetch("/api/expresscsv/session", {
      method: "POST",
    });

    const { token } = await response.json();
    return token;
  },
  importIdentifier: "user-import",
});

Avoid:

storing the ExpressCSV secret key in frontend code
caching import session tokens for reuse across imports
reusing an old token from local storage or a database

How to implement the session endpoint

Your backend session endpoint should call POST https://api.expresscsv.com/v1/importer/sessions with your environment secret key and return only the resulting token to the browser.

The example below uses Koa, but the same pattern applies in any backend framework.

import Koa from "koa";
import Router from "@koa/router";

const app = new Koa();
const router = new Router();

router.post("/api/expresscsv/session", async (ctx) => {
  const response = await fetch("https://api.expresscsv.com/v1/importer/sessions", {
    method: "POST",
    headers: {
      Authorization: `Bearer ${process.env.EXPRESSCSV_SECRET_KEY}`,
      "Content-Type": "application/json",
    },
    body: JSON.stringify({}),
  });

  if (!response.ok) {
    ctx.status = 500;
    ctx.body = { error: "Failed to create session token" };
    return;
  }

  const { token } = await response.json();
  ctx.body = { token };
});

app.use(router.routes());
app.use(router.allowedMethods());

If token creation or refresh fails, the importer surfaces an error and the import can be retried after the underlying backend or access issue is resolved.

How to implement the session endpoint

On this page