Proxy Setup

How to configure your CDN or server to proxy Sesamy requests through your own domain. This keeps all traffic same-origin, which is critical for first-party cookies and Apple ITP compliance.

Why proxy?

Three reasons to proxy Sesamy requests through your own domain:

First-party cookies. Safari's Intelligent Tracking Prevention (ITP) limits third-party cookies to seven days and, in some cases, blocks them entirely. When auth requests go through your domain, cookies are first-party and unaffected.
Same-origin requests. Apple is increasingly restrictive about pages making requests to different IP addresses. By proxying /sesamy-api and /sesamy-auth through your CDN, all requests share the same IP as your site.
Simpler CORS. Same-origin requests skip CORS preflight entirely, reducing latency.

What to proxy

You need two proxy rules. The path prefix is flexible -- /sesamy-api and /sesamy-auth are recommended to avoid conflicts with your own routes.

Your path	Destination	Purpose
`/sesamy-auth/*`	`https://api2.sesamy.com/auth/*`	Authentication (login, callback, logout, userinfo)
`/sesamy-api/*`	`https://api2.sesamy.com/*`	API requests (entitlements, capsule unlock, paywalls)

Forward the Host header

Most proxy configurations need to set the X-Forwarded-Host header to your site's hostname. The Sesamy Token Handler uses this to set cookies on the correct domain.

Cloudflare

If your site is already on Cloudflare, add a Worker or use Transform Rules to proxy the requests.

Using Cloudflare Workers

Create a Worker that proxies matching paths:

javascript

export default {
  async fetch(request) {
    const url = new URL(request.url);

    if (url.pathname.startsWith('/sesamy-auth/')) {
      const target = new URL(url.pathname.replace('/sesamy-auth/', '/auth/'), 'https://api2.sesamy.com');
      target.search = url.search;
      return fetch(target, {
        method: request.method,
        headers: {
          ...Object.fromEntries(request.headers),
          'X-Forwarded-Host': url.hostname,
        },
        body: request.body,
      });
    }

    if (url.pathname.startsWith('/sesamy-api/')) {
      const target = new URL(url.pathname.replace('/sesamy-api/', '/'), 'https://api2.sesamy.com');
      target.search = url.search;
      return fetch(target, {
        method: request.method,
        headers: {
          ...Object.fromEntries(request.headers),
          'X-Forwarded-Host': url.hostname,
        },
        body: request.body,
      });
    }

    return fetch(request);
  },
};

Bind the Worker to your site's routes via wrangler.toml or the Cloudflare dashboard.

Bunny CDN

Bunny CDN supports Edge Rules for URL rewriting and proxying.

Go to your Pull Zone settings
Add an Edge Rule for each path prefix
Set the action to Override Origin with api2.sesamy.com as the target
Add a header override: X-Forwarded-Host set to your hostname

Alternatively, use Bunny's Origin Shield or Perma-Cache with a custom origin that points to api2.sesamy.com for the /sesamy-api and /sesamy-auth paths.

nginx

location /sesamy-auth/ {
    proxy_pass https://api2.sesamy.com/auth/;
    proxy_set_header Host api2.sesamy.com;
    proxy_set_header X-Forwarded-Host $host;
    proxy_ssl_server_name on;
}

location /sesamy-api/ {
    proxy_pass https://api2.sesamy.com/;
    proxy_set_header Host api2.sesamy.com;
    proxy_set_header X-Forwarded-Host $host;
    proxy_ssl_server_name on;
}

proxy_ssl_server_name

The proxy_ssl_server_name on directive is required for nginx to send the correct SNI header when connecting to api2.sesamy.com over TLS.

Vercel / Next.js

Use Vercel's built-in rewrites. These run at the Edge Network with no cold-start overhead.

typescript

// next.config.ts
const nextConfig = {
  async rewrites() {
    return [
      {
        source: '/sesamy-auth/:path*',
        destination: 'https://api2.sesamy.com/auth/:path*',
      },
      {
        source: '/sesamy-api/:path*',
        destination: 'https://api2.sesamy.com/:path*',
      },
    ];
  },
};

export default nextConfig;

Generic reverse proxy

For any reverse proxy or API gateway, the pattern is the same:

Match requests to /sesamy-auth/* and strip the prefix before forwarding to https://api2.sesamy.com/auth/*
Match requests to /sesamy-api/* and strip the prefix before forwarding to https://api2.sesamy.com/*
Set X-Forwarded-Host to your site's hostname
Set Host to api2.sesamy.com
Forward cookies and the request body unchanged

sesamy-js configuration

Once your proxy is in place, configure sesamy-js to use the proxy paths:

json

{
  "clientId": "your-vendor-id",
  "vendorId": "your-vendor-id",
  "api": { "endpoint": "/sesamy-api" },
  "auth": {
    "useHttpCookies": true,
    "baseUrl": "/sesamy-auth"
  }
}

auth.baseUrl is prepended to every /auth/* path the BFF plugin touches, so the runtime fetches /sesamy-auth/auth/userinfo, /sesamy-auth/auth/{vendorId}/login, and /sesamy-auth/auth/logout — matching the proxy rule above. Leave it unset (or set to "") if you proxy /auth/* directly without a prefix.

sesamy-js automatically rewrites Capsule unlock URLs to use the configured api.endpoint, so DCA content also goes through your proxy.

Testing

After setting up the proxy, verify it works:

Open your site and check the Network tab in DevTools
Confirm that /sesamy-auth/auth/userinfo returns a JSON response (even if authenticated: false)
Try logging in -- the /sesamy-auth/auth/{vendorId}/login redirect should work and set cookies on your domain
After login, confirm that /sesamy-api/entitlements returns entitlement data

Next Steps

Authentication Options -- Understand the auth approaches that use proxying
Content Protection -- Set up Capsule or other lock modes
Server-Side Rendering -- Read auth cookies server-side

Proxy Setup ​

Why proxy? ​

What to proxy ​

Cloudflare ​

Using Cloudflare Workers ​

Bunny CDN ​

nginx ​

Vercel / Next.js ​

Generic reverse proxy ​

sesamy-js configuration ​

Testing ​

Next Steps ​