fix(fe): use publishable token for integrating next.js with other services

[jog1t]

No description provided.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
rivet-inspector	Ready	Preview	Comment	Nov 12, 2025 5:08pm
rivetkit-serverless	Ready	Preview	Comment	Nov 12, 2025 5:08pm

2 Skipped Deployments

Project	Deployment	Preview	Comments	Updated (UTC)
rivet-cloud	Ignored			Nov 12, 2025 5:08pm
rivet-site	Ignored			Nov 12, 2025 5:08pm

[jog1t]

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

• refactor: performance improvements for inspector #3452
• fix(fe): use publishable token for integrating next.js with other services #3451 👈 (View in Graphite)
• fix(rivetkit): remove incorrect getEndpoint call in metadata handler #3433 : 1 other dependent PR (#3438 )
• feat(rivetkit): add json protocol support #3432
• chore(rivetkit): add required zod validation for json encoding #3431
• chore(rivetkit): add listing actors by only name to manager api #3430
• refactor(rivetkit): extract WebSocket protocol parsing to shared utility #3429
• refactor(rivetkit): restructure connection lifecycle contexts #3428
• chore(rivetkit): add WebSocketContext and RequestContext #3427
• chore(rivetkit): add conn type #3426
• chore(rivetkit): add connection for raw http #3425
• chore(rivetkit): rename onFetch to onRequest #3424
• refactor(rivetkit): add state manager for conn with symbol-based access #3423
• fix(rivetkit): use loggerWithoutContext for websocket error when actor undefined #3412
• feat(rivetkit): add GET /actors/names #3411
• feat(api-public): expose actor kv api #3410
• chore(rivetkit): auto-generate inspector token for engine driver #3409
• chore(rivetkit): close websockets on out of sequence messages #3404
• fix(rivetkit): properly apply clientEndpoint from metadata lookup #3402
• fix(rivetkit): properly handle msgIndex for hibernatable websocket reconnection #3401
• chore(rivetkit): rename onstart/onstop to onwake/onsleep #3422
• chore(rivetkit): split ActorInstance logic in to multiple classes #3421
• chore(rivetkit): move conns to separate persisted kv keys #3420
• chore(rivetkit): remove deprecated conn tokens & sse support #3419
• main

---

How to use the Graphite Merge Queue

Add the label merge-queue to this PR to add it to the merge queue.

You must have a Graphite account in order to use the merge queue. Sign up using this link.

An organization admin has enabled the Graphite Merge Queue in this repository.

Please do not merge from GitHub as this will restart CI on PRs being processed by the merge queue.

This stack of pull requests is managed by Graphite. Learn more about stacking.

[pkg-pr-new]

More templates

• example-ai-agent
• example-background-jobs
• example-better-auth-external-db
• example-bots
• chat-room
• example-cloudflare-workers
• example-cloudflare-workers-hono
• example-counter
• example-counter-serverless
• example-crdt
• example-cursors
• example-cursors-raw-websocket
• example-database
• example-deno
• example-sqlite
• example-elysia
• example-express
• example-freestyle
• example-game
• example-hono
• example-hono-bun
• example-hono-react
• example-kitchen-sink
• example-next-js
• example-rate
• example-raw-fetch-handler
• example-raw-websocket-handler
• example-raw-websocket-handler-proxy
• example-react
• starter
• example-stream
• example-sync
• example-tenant
• example-trpc
• example-workflows

@rivetkit/actor

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/actor@3451

@rivetkit/cloudflare-workers

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/cloudflare-workers@3451

@rivetkit/core

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/core@3451

@rivetkit/db

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/db@3451

@rivetkit/framework-base

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/framework-base@3451

@rivetkit/next-js

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/next-js@3451

@rivetkit/react

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/react@3451

rivetkit

pnpm add https://pkg.pr.new/rivet-dev/rivet/rivetkit@3451

@rivetkit/sql-loader

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/sql-loader@3451

@rivetkit/engine-runner

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/engine-runner@3451

@rivetkit/engine-runner-protocol

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/engine-runner-protocol@3451

commit: 8cccc54

[claude]

Code Review: Fix publishable token usage for Next.js integrations

Summary

This PR correctly switches from using engineAdminTokenQueryOptions() to usePublishableToken() when integrating Next.js with Vercel and Railway. This is an important security improvement that ensures client-side applications receive publishable tokens instead of admin tokens.

---

Positive Findings

Security Improvement

• Critical fix: Previously, the code was fetching admin tokens which could expose admin-level credentials in client-side environments. The PR correctly switches to publishable tokens.
• For cloud deployments, this now calls createPublishableToken API endpoint
• For engine deployments, it still uses the stored admin token but through a unified interface

Code Quality

• Good code reuse: Exports and reuses usePublishableToken() helper from connect-vercel-frame.tsx
• Consistent pattern applied across all three affected files
• Removes unnecessary loading states in Railway frame since the hook uses useSuspenseQuery
• Proper use of ts-pattern for type-safe environment branching

Configuration

• biome.json: Adding generated file ignore pattern is appropriate

---

Issues and Suggestions

1. Incomplete biome-ignore comment (Minor)

File: frontend/src/app/dialogs/connect-quick-vercel-frame.tsx:1

The ignore comment has a placeholder explanation that should be replaced with the actual reason, similar to connect-vercel-frame.tsx which uses: guarded by build constant

Recommendation: Update the comment to match the more descriptive version.

2. Unused imports (Minor)

File: frontend/src/app/dialogs/connect-quick-vercel-frame.tsx:24-26

The imports useCloudDataProvider and useCloudNamespaceDataProvider appear unused and should be removed.

Recommendation: Remove unused imports to keep the code clean.

---

Test Coverage

Concern: No tests were added or modified for these changes.

Recommendation: Consider adding tests to verify the correct token type is returned based on APP_TYPE, though given this is primarily a security fix and the lack of existing tests in this directory, manual verification may be sufficient.

---

Security Considerations

Excellent security improvement! This change ensures:

1. Client-side code never receives admin-level tokens
2. Publishable tokens have appropriate scoping for public use
3. The principle of least privilege is maintained

Verification needed: Please confirm publishable tokens have been tested in both cloud and engine modes with Vercel/Railway deployments.

---

Performance

No performance concerns. The switch to useSuspenseQuery actually improves UX by preventing loading states.

---

Overall Assessment

Recommendation: Approve with minor cleanup

This is a valuable security improvement that properly segregates token types. The minor issues are cosmetic and do not block the PR.

Action items before merge (optional but recommended):

1. Fix the biome-ignore comment explanation
2. Remove unused imports
3. Manually test both cloud and engine deployments

Great work on identifying and fixing this security issue!