Next.js 16 auto-detects web/proxy.ts as middleware, gating all /api/*
routes behind bearer token validation. The token was only cached in
memory (lost on page refresh) and extracted from the URL hash fragment
(cleared after first extraction). This caused 401 errors on page
refresh and broke the sendBeacon shutdown call which cannot set
custom headers.
Changes:
- Persist the auth token to sessionStorage after extracting from the
URL fragment so it survives page refreshes within the same tab
- Fall back to sessionStorage when the URL hash is absent (refresh,
bookmark without hash)
- Pass the auth token as a _token query parameter in the sendBeacon
shutdown call since sendBeacon cannot set Authorization headers
- Add regression tests for token persistence, sessionStorage fallback,
and sendBeacon authentication
Fixes#1851
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
f4db25b9b8