DiscordSign up
SKILLS.SH

safe-action-middleware

Use when implementing middleware for next-safe-action -- authentication, authorization, logging, rate limiting, error interception, context extension, or…

INSTALLATION
npx skills add https://github.com/next-safe-action/skills --skill safe-action-middleware
Run in your project or agent environment. Adjust flags if your CLI version differs.

SKILL.md

next-safe-action Middleware

Quick Start

import { createSafeActionClient } from "next-safe-action";

const actionClient = createSafeActionClient();

// Add middleware with .use()

const authClient = actionClient.use(async ({ next }) => {

const session = await getSession();

if (!session?.user) {

throw new Error("Unauthorized");

}

// Pass context to the next middleware/action via next({ ctx })

return next({

ctx: { userId: session.user.id },

});

});

## How Middleware Works

- `.use()` adds middleware to the chain — you can call it multiple times

- Each `.use()` returns a **new** client instance (immutable chain)

- Middleware executes **top-to-bottom** (in the order added)

- Results flow **bottom-to-top** (the deepest middleware/action resolves first)

- Context is accumulated via `next({ ctx })` — each level's ctx is **deep-merged** with the previous

const client = createSafeActionClient()

.use(async ({ next }) => {

console.log("1: before"); // Runs 1st

const result = await next({ ctx: { a: 1 } });

console.log("1: after"); // Runs 4th

return result;

})

.use(async ({ next, ctx }) => {

console.log("2: before", ctx.a); // Runs 2nd, ctx.a = 1

const result = await next({ ctx: { b: 2 } });

console.log("2: after"); // Runs 3rd

return result;

});

// In .action(): ctx = { a: 1, b: 2 }


## use() Middleware Function Signature

async ({

clientInput, // Raw input from the client (unknown)

bindArgsClientInputs, // Raw bind args array

ctx, // Accumulated context from previous middleware

metadata, // Metadata set via .metadata()

next, // Call to proceed to next middleware/action

}) => {

// Optionally extend context

return next({ ctx: { / new context properties / } });

}


## useValidated() — Post-Validation Middleware

`.useValidated()` registers middleware that runs **after** input validation, giving access to typed `parsedInput`. **Default to `use()`** — only use `useValidated()` when middleware logic depends on validated input.

const action = authClient

.inputSchema(z.object({ postId: z.string().uuid(), title: z.string() }))

.useValidated(async ({ parsedInput, ctx, next }) => {

// parsedInput is typed: { postId: string; title: string }

const post = await db.post.findById(parsedInput.postId);

if (!post || post.authorId !== ctx.userId) {

throw new Error("Not authorized");

}

return next({ ctx: { post } });

})

.action(async ({ parsedInput, ctx }) => {

// ctx.post is available and typed

await db.post.update(ctx.post.id, { title: parsedInput.title });

});


## Execution Order
  1. use() middleware — pre-validation, runs in order added
  1. Input validation — schema parsing
  1. useValidated() middleware — post-validation, runs in order added
  1. Server code (.action()) — receives final ctx and parsedInput
    2. 
Both middleware stacks follow the onion model: code before `next()` runs top-to-bottom, code after `next()` unwinds bottom-to-top.

## use() vs useValidated()

Need
Method

Authentication, logging, rate limiting (no input needed)
`.use()`

Access to raw `clientInput` before validation
`.use()`

Authorization based on validated input (e.g., check user owns resource)
`.useValidated()`

Logging or auditing validated/transformed input
`.useValidated()`

Enriching context with data derived from parsed input
`.useValidated()`

## useValidated() Middleware Function Signature

async ({

parsedInput, // Validated, typed input (from inputSchema)

clientInput, // Raw input from the client

bindArgsParsedInputs, // Validated bind args tuple

bindArgsClientInputs, // Raw bind args array

ctx, // Accumulated context from all previous middleware

metadata, // Metadata set via .metadata()

next, // Call to proceed to next middleware/action

}) => {

return next({ ctx: { / new context properties / } });

}


### Chaining Rules

- Must call `.inputSchema()` or `.bindArgsSchemas()` **before** `.useValidated()`

- Cannot call `.inputSchema()` or `.bindArgsSchemas()` **after** `.useValidated()`

- Cannot call `.use()` **after** `.useValidated()`

- Can chain multiple `.useValidated()` calls

### Schema Transforms

`useValidated()` sees the **transformed** value in `parsedInput`, while `clientInput` retains the original:

authClient

.inputSchema(z.string().transform((s) => s.toUpperCase()))

.useValidated(async ({ clientInput, parsedInput, next }) => {

console.log(clientInput); // "hello" (original)

console.log(parsedInput); // "HELLO" (transformed)

return next();

})


### Context in Error Callbacks

- Context set by `use()` middleware is **always** available in `onError`/`onSettled` callbacks.

- Context set by `useValidated()` middleware is **optional** (may be `undefined`) — if validation fails, `useValidated()` never runs, so its context additions are missing.

## Supporting Docs

- [Authentication & authorization patterns](https://github.com/next-safe-action/skills/blob/HEAD/skills/safe-action-middleware/./auth-patterns.md)

- [Logging & monitoring middleware](https://github.com/next-safe-action/skills/blob/HEAD/skills/safe-action-middleware/./logging-monitoring.md)

- [Standalone reusable middleware with createMiddleware() and createValidatedMiddleware()](https://github.com/next-safe-action/skills/blob/HEAD/skills/safe-action-middleware/./standalone-middleware.md)

## Anti-Patterns

// BAD: Forgetting to return next() — action will hang

.use(async ({ next }) => {

await doSomething();

next({ ctx: {} }); // Missing return!

})

// GOOD: Always return the result of next()

.use(async ({ next }) => {

await doSomething();

return next({ ctx: {} });

})

// BAD: Catching all errors (swallows framework errors like redirect/notFound)

.use(async ({ next }) => {

try {

return await next({ ctx: {} });

} catch (error) {

return { serverError: "Something went wrong" }; // Swallows redirect!

}

})

// GOOD: Re-throw framework errors

.use(async ({ next }) => {

try {

return await next({ ctx: {} });

} catch (error) {

if (error instanceof Error && "digest" in error) {

throw error; // Let Next.js handle redirects, notFound, etc.

}

// Handle other errors

console.error(error);

return { serverError: "Something went wrong" };

}

})

// BAD: useValidated() without an input schema — won't compile

const client = actionClient.useValidated(async ({ parsedInput, next }) => {

return next();

});

// GOOD: Always define inputSchema or bindArgsSchemas before useValidated()

const client = actionClient

.inputSchema(z.object({ id: z.string() }))

.useValidated(async ({ parsedInput, next }) => {

console.log(parsedInput.id); // Typed!

return next();

});

BrowserAct

Let your agent run on any real-world website

Bypass CAPTCHA & anti-bot for free. Start local, scale to cloud.

Explore BrowserAct Skills →

Related skills

find-skills
2/3

Discover and install specialized agent skills from the open ecosystem when users need extended capabilities. Helps identify relevant skills by domain and task when users ask "how do I do X" or "find a skill for X" Integrates with the Skills CLI ( npx skills find , npx skills add ) to search, verify, and install packages from the skills.sh directory Recommends skills based on install count, source reputation, and GitHub stars to ensure quality before suggesting installation Presents skill options with install commands and links to skills.sh for user review and one-click installation

Verified authorvercel-labs
SKILLS.SH
1.5M19.6K
2026-05-22
vercel-react-best-practices
3/3

React and Next.js performance optimization guide with 64 prioritized rules across 8 categories. Organized by impact level, from critical waterfalls and bundle optimization down to advanced patterns, each rule includes incorrect/correct code examples and explanations Covers eight domains: async patterns, bundle size, server-side caching, client-side data fetching, re-render optimization, rendering performance, JavaScript efficiency, and advanced patterns Designed for use during component writing, code review, refactoring, and performance audits on React and Next.js applications Each rule has a prefix code (e.g., async-parallel , bundle-barrel-imports ) for easy reference in automated tooling and documentation

Verified authorvercel-labs
SKILLS.SH
389K26.9K
2026-05-22
azure-validate
2/3

Pre-deployment validation for Azure infrastructure, configuration, and permissions before deployment. Requires .azure/plan.md from a prior azure-prepare run; stops immediately if the plan is missing Executes recipe-specific validation commands (azd provision, bicep build, terraform validate) and records proof in the plan document Performs build verification, configuration checks, and permission validation; blocks deployment if any check fails Only authorized method to set plan status to Validated ; must be followed by azure-deploy skill to execute the actual deployment

Verified authormicrosoft
SKILLS.SH
324K1.1K
2026-05-22
appinsights-instrumentation
3/3

Guidance and reference material for instrumenting webapps with Azure Application Insights. Covers SDK setup, telemetry patterns, and configuration for ASP.NET Core and Node.js applications hosted in Azure Distinguishes between this skill (reference and guidance) and azure-prepare (actual implementation); invoke azure-prepare when the user wants to add instrumentation to their project Provides auto-instrumentation guidance for C# ASP.NET Core apps in Azure App Service, plus manual instrumentation paths for creating App Insights resources via Bicep templates or Azure CLI Includes language-specific code modification guides for ASP.NET Core, Node.js, and Python, plus quick references for OpenTelemetry SDKs and exporters

Verified authormicrosoft
SKILLS.SH
324K1.1K
2026-05-22

Stop writing automation&scrapers

Install the CLI. Run your first Skill in 30 seconds. Scale when you're ready.

Start free
free · no credit card