What is Server Action?

Updated

Next.js's RPC mechanism: an async function marked with the `"use server"` directive that runs on the server but is callable from client components. Every Server Action is a public, unauthenticated API endpoint by default — auth + ownership checks are the developer's responsibility.

Full explanation

Server Actions were introduced in Next.js 13 and stabilized in Next.js 14. The `"use server"` directive turns a function into a callable RPC; Next.js packages the call as a POST to a serialized endpoint that any browser can hit. The serialized endpoint is exposed in the client bundle, callable by anyone with the URL — there is no implicit auth boundary. The convenience hides the risk: AI-generated Server Actions frequently skip the auth check that the framework does not provide.

Example

A Server Action that takes user_id from FormData and trusts it: any authenticated user can request another user's data by changing the FormData payload. The fix is resolving the user from the verified session via getAuthenticatedUser(), never trusting FormData identifiers.

Related

Guide
Next.js Server Actions security — the bugs everyone ships and the fixes
Guide
Broken Object-Level Authorization (BOLA) in Next.js apps
Guide
How to security-review AI-generated code (the 5 patterns to look for)

FAQ

Doesn't `"use server"` mean only my server can call it?

No. It means the function runs on the server. The endpoint Next.js generates from it is publicly callable. Treat every Server Action as a public API endpoint and add auth + ownership checks accordingly.

What about CSRF protection?

Next.js 14+ has built-in CSRF protection for Server Actions via origin-header validation, on by default for App Router. Earlier versions or custom configurations may not. Verify your version + config.