Server API Routes
Server API Routes, also known as Resource Routes, are the standard way to fetch and mutate data in Storefront Next. They implement the Backend-For-Frontend (BFF) pattern—your client-side components communicate with these server endpoints, which securely handle B2C Commerce API calls, authentication, and sensitive business logic.
All data fetching routes through server endpoints. Server routes handle:
- API authentication: SLAS flows, client secrets, and token management.
- B2C Commerce API proxying: All SCAPI calls route through server endpoints.
- Callbacks and redirects: Auth redirects, webhooks, JWKS proxying.
- Cookie and header management: Session handling, locale preferences.
- JSON responses: Data for
useFetcher()or client-sidefetch()calls.
This approach keeps credentials secure, reduces client bundle size, and centralizes data access patterns.
Server routes implement the Backend-for-Frontend (BFF) pattern. Your storefront app acts as an intermediary between the client and backend services.
This architecture provides:
- API aggregation: Combine multiple Commerce API calls into single endpoints.
- Security: Keep API credentials and sensitive logic on the server.
- Performance: Reduce client-side JavaScript and network requests.
- Flexibility: Transform API responses to match your UI needs.
Storefront Next uses React Router 7 in framework mode. Routes are defined by files in src/routes/ by using the flat routes convention.
A route module becomes a resource route (API endpoint) when it exports only data functions such as loader and action, without a default React component.
| Term | Definition |
|---|---|
| Server route | Any route file in src/routes/ that runs on the server. |
| Resource route | A server route that exports only data functions (no default component). |
| Loader | A function that handles GET requests and returns data. |
| Action | A function that handles mutations (POST, PUT, DELETE). |
Storefront Next uses these naming conventions.
resource.*files map to/resource/...endpoints.action.*files map to/action/...endpoints.loader.*files map to/loader/...endpoints._empty.*files bypass parent layouts. Use this prefix when a route needs to render without the standard page wrapper, for example, the logout action that redirects immediately.
All data fetching in Storefront Next happens on the server. Resource routes use loader and action functions that run server-side for both initial page loads and client-side navigation.
This server-side approach provides:
- Security: Sensitive API keys and business logic stay on the server.
- Performance: Reduced client bundle size.
- Consistency: Single source of truth for data-fetching logic.
- SEO: All data is available during server-side rendering.
Always use server-side loader and action functions. While React Router supports clientLoader and clientAction, Storefront Next enforces a server-only data retrieval. Client-side loaders expose your app to security risks and violates the architecture. If you have a rare edge case that seems to require client-side data fetching, consult with the team before implementing.
Server routes support three main patterns: loaders for GET requests, actions for mutations, and dynamic parameters for flexible endpoints.
Use a loader to respond to GET requests. This example shows a store search endpoint.
Use an action to handle mutations and form submissions. This example shows a locale-setting endpoint.
Use dynamic segments when a family of endpoints shares a common shape.
This dynamic segment maps to /resource/auth/:operation. For example, /resource/auth/login-guest.
For standard B2C Commerce operations, use the useScapiFetcher hook. This hook pairs with a generic server route so that you can call any SCAPI method from your components while keeping the actual API communication on the server.
You don’t interact with the underlying server route directly—the hook handles everything for you.
For mutations, use the submit method.
While useScapiFetcher looks like a direct API call, it serializes your request, sends it to the server route, executes the SDK method on the server, and returns the result. The hook provides these convenience properties: data (the response payload), errors (any error messages), success (a boolean), and state (loading, submitting, or idle).
Don’t await the load() or submit() methods expecting data to be populated when the promise resolves. These methods trigger the fetch but return immediately. Use the state property or useEffect to react to data changes instead.
Server routes use standard Web APIs, such as Request, Response, and FormData, for handling requests and responses. For detailed patterns, see the React Router Actions.
Handle errors gracefully and return appropriate status codes. Don’t expose sensitive information in error messages.
Status Code Guidelines
| Status | Use Case |
|---|---|
400 | Validation errors for missing or invalid input. |
401 | Authentication required. |
403 | Authorization denied. |
404 | Unknown operations or resources. |
500 | Unexpected server failures. |
Use React Router’s useFetcher() hook to call server routes without triggering a full page navigation. For complete documentation, see React Router’s Data Loading.
Don’t await the fetcher.load() or fetcher.submit() methods expecting fetcher.data to be populated when the promise resolves. These methods trigger the request but return immediately. Use fetcher.state or a useEffect watching fetcher.data to react when data arrives.
Server routes handle sensitive operations. Follow these practices.
Always validate and sanitize input from requests.
Never embed client secrets in browser code. Server routes exist specifically to keep credentials secure.
Use the generic Commerce SDK proxy (resource.api.client.$resource.ts) carefully. If you implement similar patterns, enforce an allowlist of methods and validate parameters. Don’t expose a “call-anything” proxy without guardrails.
Public endpoints must set appropriate Cache-Control headers.
| File Name | Route URL | Purpose |
|---|---|---|
resource.stores.ts | /resource/stores | Store locator BFF endpoint |
resource.auth.$operation.ts | /resource/auth/:operation | Authentication operations |
resource.api.client.$resource.ts | /resource/api/client/:resource | Generic Commerce SDK proxy |
action.set-locale.ts | /action/set-locale | Set locale cookie server-side |
action.set-currency.ts | /action/set-currency | Set currency preference |
action.place-order.ts | /action/place-order | Order placement |
loader.wishlist-products.tsx | /loader/wishlist-products | Wishlist products data |
oauth2.jwks.ts | /oauth2/jwks | JWKS proxy endpoint |
_empty.logout.ts | /logout | Logout endpoint without layout |
| Package | Purpose |
|---|---|
react-router | Framework with loader/action pattern |
@salesforce/storefront-next-runtime | Runtime utilities, SCAPI types |