Skip to main content
After successful authentication, Hanko generates a session token stored as a cookie. This guide shows how to validate these session tokens in your Java/Spring backend to authenticate API requests.

Get the Hanko API URL

Retrieve your project’s API URL from the Hanko Console. This URL is used to validate session tokens.
If you are self-hosting Hanko, use your self-hosted instance URL instead.

Authentication flow

To authenticate requests in your Java/Spring backend:
  1. Extract the session token from the HTTP cookie
  2. Validate the token using Hanko’s session validation API
  3. Allow or deny the request based on validation result

Implementation example

This example shows how to create a session validator that can be used as a filter in your Java/Spring application:

Using the validator as a Spring filter

Create a filter to protect your routes using the session validator:
Configure Spring to run the filter on all routes that should be protected:
In this example only the /secured route is protected.