bridge
The bridge injects window.pkbridge into every rendered HTML page via a two-part mechanism:
- A data script sets
window.__pkbridgeData = {...}inline. <script src="/pkbridge.js"></script>loads the bridge logic.
What the bridge exposes
window.pkbridge = {
user: { id, email, username } | null,
csrf: "token-string",
config: { /* only APP.publicConfig keys */ },
fetch: pkFetch,
}
pkbridge.fetch is a drop-in replacement for window.fetch that automatically adds X-CSRF-Token and Content-Type: application/json headers on mutating requests (POST/PUT/PATCH/DELETE).
What the bridge never exposes
- Password hashes
- Session tokens
- Encryption keys
- Database connection strings
- Any key not listed in
APP.publicConfig