Skip to content
Nahida-aa

Server Functions

What are Server Functions?

Section titled “What are Server Functions?”

Server functions let you define server-only logic that can be called from anywhere in your application - loaders, components, hooks, or other server functions. They run on the server but can be invoked from client code seamlessly.

import { createServerFn } from '@tanstack/react-start'


export const getServerTime = createServerFn().handler(async () => {
  // This runs only on the server
  return new Date().toISOString()
})


// Call from anywhere - components, loaders, hooks, etc.
const time = await getServerTime()

Server functions provide server capabilities (database access, environment variables, file system) while maintaining type safety across the network boundary.

Basic Usage

Section titled “Basic Usage”

Server functions are created with createServerFn() and can specify HTTP method:

import { createServerFn } from '@tanstack/react-start'


// GET request (default)
export const getData = createServerFn().handler(async () => {
  return { message: 'Hello from server!' }
})


// POST request
export const saveData = createServerFn({ method: 'POST' }).handler(async () => {
  // Server-only logic
  return { success: true }
})

Where to Call Server Functions

Section titled “Where to Call Server Functions”

Call server functions from:

  • Route loaders - Perfect for data fetching
  • Components - Use with useServerFn() hook
  • Other server functions - Compose server logic
  • Event handlers - Handle form submissions, clicks, etc.
// In a route loader
export const Route = createFileRoute('/posts')({
  loader: () => getServerPosts(),
})


// In a component
function PostList() {
  const getPosts = useServerFn(getServerPosts)


  const { data } = useQuery({
    queryKey: ['posts'],
    queryFn: () => getPosts(),
  })
}

File Organization

Section titled “File Organization”

For larger applications, consider organizing server-side code into separate files. Here’s one approach:

src/utils/
├── users.functions.ts   # Server function wrappers (createServerFn)
├── users.server.ts      # Server-only helpers (DB queries, internal logic)
└── schemas.ts           # Shared validation schemas (client-safe)
  • .functions.ts - Export createServerFn wrappers, safe to import anywhere
  • .server.ts - Server-only code, only imported inside server function handlers
  • .ts (no suffix) - Client-safe code (types, schemas, constants)

Example

Section titled “Example”
// users.server.ts - Server-only helpers
import { db } from '~/db'


export async function findUserById(id: string) {
  return db.query.users.findFirst({ where: eq(users.id, id) })
}
// users.functions.ts - Server functions
import { createServerFn } from '@tanstack/react-start'
import { findUserById } from './users.server'


export const getUser = createServerFn({ method: 'GET' })
  .inputValidator((data: { id: string }) => data)
  .handler(async ({ data }) => {
    return findUserById(data.id)
  })

Static Imports Are Safe

Section titled “Static Imports Are Safe”

Server functions can be statically imported in any file, including client components:

// ✅ Safe - build process handles environment shaking
import { getUser } from '~/utils/users.functions'


function UserProfile({ id }) {
  const { data } = useQuery({
    queryKey: ['user', id],
    queryFn: () => getUser({ data: { id } }),
  })
}

The build process replaces server function implementations with RPC stubs in client bundles. The actual server code never reaches the browser.

Parameters & Validation

Section titled “Parameters & Validation”

Server functions accept a single data parameter. Since they cross the network boundary, validation ensures type safety and runtime correctness.

Basic Parameters

Section titled “Basic Parameters”
import { createServerFn } from '@tanstack/react-start'


export const greetUser = createServerFn({ method: 'GET' })
  .inputValidator((data: { name: string }) => data)
  .handler(async ({ data }) => {
    return `Hello, ${data.name}!`
  })


await greetUser({ data: { name: 'John' } })

Validation with Zod

Section titled “Validation with Zod”

For robust validation, use schema libraries like Zod:

import { createServerFn } from '@tanstack/react-start'
import { z } from 'zod'


const UserSchema = z.object({
  name: z.string().min(1),
  age: z.number().min(0),
})


export const createUser = createServerFn({ method: 'POST' })
  .inputValidator(UserSchema)
  .handler(async ({ data }) => {
    // data is fully typed and validated
    return `Created user: ${data.name}, age ${data.age}`
  })

Form Data

Section titled “Form Data”

Handle form submissions with FormData:

export const submitForm = createServerFn({ method: 'POST' })
  .inputValidator((data) => {
    if (!(data instanceof FormData)) {
      throw new Error('Expected FormData')
    }


    return {
      name: data.get('name')?.toString() || '',
      email: data.get('email')?.toString() || '',
    }
  })
  .handler(async ({ data }) => {
    // Process form data
    return { success: true }
  })

Error Handling & Redirects

Section titled “Error Handling & Redirects”

Server functions can throw errors, redirects, and not-found responses that are handled automatically when called from route lifecycles or components using useServerFn().

Basic Errors

Section titled “Basic Errors”
import { createServerFn } from '@tanstack/react-start'


export const riskyFunction = createServerFn().handler(async () => {
  if (Math.random() > 0.5) {
    throw new Error('Something went wrong!')
  }
  return { success: true }
})


// Errors are serialized to the client
try {
  await riskyFunction()
} catch (error) {
  console.log(error.message) // "Something went wrong!"
}

Redirects

Section titled “Redirects”

Use redirects for authentication, navigation, etc:

import { createServerFn } from '@tanstack/react-start'
import { redirect } from '@tanstack/react-router'


export const requireAuth = createServerFn().handler(async () => {
  const user = await getCurrentUser()


  if (!user) {
    throw redirect({ to: '/login' })
  }


  return user
})

Not Found

Section titled “Not Found”

Throw not-found errors for missing resources:

import { createServerFn } from '@tanstack/react-start'
import { notFound } from '@tanstack/react-router'


export const getPost = createServerFn()
  .inputValidator((data: { id: string }) => data)
  .handler(async ({ data }) => {
    const post = await db.findPost(data.id)


    if (!post) {
      throw notFound()
    }


    return post
  })

Advanced Topics

Section titled “Advanced Topics”

For more advanced server function patterns and features, see these dedicated guides:

Server Context & Request Handling

Section titled “Server Context & Request Handling”

Access request headers, cookies, and customize responses:

import { createServerFn } from '@tanstack/react-start'
import {
  getRequest,
  getRequestHeader,
  setResponseHeaders,
  setResponseStatus,
} from '@tanstack/react-start/server'


// Public, non-personalized data — safe to cache shared across users.
export const getPublicData = createServerFn({ method: 'GET' }).handler(
  async () => {
    setResponseHeaders(
      new Headers({
        // 'public' is correct ONLY when the response does not depend on identity.
        // For anything tied to a session/user/tenant, see the authenticated example below.
        'Cache-Control': 'public, max-age=300',
        'CDN-Cache-Control': 'max-age=3600, stale-while-revalidate=600',
      }),
    )
    setResponseStatus(200)
    return fetchPublicData()
  },
)

Cache-Control safety: public tells every CDN/proxy between you and the user that the response can be served to anyone. If the handler reads a session, cookie, or auth header — or branches on identity at all — using public will cache one user’s response and replay it to the next user (cross-tenant data leak). For authenticated responses, use private:

// Authenticated data — must NOT be 'public'.
export const getMyOrders = createServerFn({ method: 'GET' }).handler(
  async () => {
    const session = await requireSession()
    setResponseHeaders(
      new Headers({
        // 'private' = only the user-agent may cache. Vary by Cookie/Authorization
        // so any intermediary that does cache keys by identity, not URL alone.
        'Cache-Control': 'private, max-age=60',
        Vary: 'Cookie, Authorization',
      }),
    )
    return db.orders.findMany({ where: { userId: session.userId } })
  },
)


// For sensitive data, opt out entirely:
// setResponseHeaders(new Headers({ 'Cache-Control': 'no-store' }))

Available utilities:

  • getRequest() - Access the full Request object
  • getRequestHeader(name) - Read a specific request header
  • setResponseHeader(name, value) - Set a single response header
  • setResponseHeaders(headers) - Set multiple response headers via Headers object
  • setResponseStatus(code) - Set the HTTP status code

Streaming

Section titled “Streaming”

Stream typed data from server functions to the client. See the Streaming Data from Server Functions guide.

Raw Responses

Section titled “Raw Responses”

Return Response objects binary data, or custom content types.

Progressive Enhancement

Section titled “Progressive Enhancement”

Use server functions without JavaScript by leveraging the .url property with HTML forms.

Middleware

Section titled “Middleware”

Compose server functions with middleware for authentication, logging, and shared logic. See the Middleware guide.

Auth must be enforced on the server function, not the route. A createServerFn is an RPC endpoint reachable by direct POST regardless of which route renders the calling UI — a route beforeLoad redirect protects the page experience, but it does not stop a request from hitting the RPC directly. Apply authMiddleware (or an equivalent in-handler check) to every server function that needs auth. See Authentication Server Primitives.

Static Server Functions

Section titled “Static Server Functions”

Cache server function results at build time for static generation. See Static Server Functions.

Server Components

Section titled “Server Components”

Server functions can return Server Components - server-rendered React components that the client can compose. See Server Components.

Request Cancellation

Section titled “Request Cancellation”

Handle request cancellation with AbortSignal for long-running operations.

Function ID generation for production build

Section titled “Function ID generation for production build”

Server functions are addressed by a generated, stable function ID under the hood. These IDs are embedded into the client/SSR builds and used by the server to locate and import the correct module at runtime.

By default, IDs are SHA256 hashes of the same seed to keep bundles compact and avoid leaking file paths. If two server functions end up with the same ID (including when using a custom generator), the system de-duplicates by appending an incrementing suffix like _1, _2, etc.

Customization:

You can customize function ID generation for the production build by providing a generateFunctionId function when configuring the TanStack Start Vite plugin.

Prefer deterministic inputs (filename + functionName) so IDs remain stable between builds.

Please note that this customization is experimental and subject to change.

Example:

vite.config.ts
import { defineConfig } from 'vite'
import react from '@vitejs/plugin-react'
import { tanstackStart } from '@tanstack/react-start/plugin/vite'


export default defineConfig({
  plugins: [
    tanstackStart({
      serverFns: {
        generateFunctionId: ({ filename, functionName }) => {
          // Return a custom ID string
          return crypto
            .createHash('sha1')
            .update(`${filename}--${functionName}`)
            .digest('hex')


          // If you return undefined, the default is used
          // return undefined
        },
      },
    }),
    react(),
  ],
})

Note: Server functions use a compilation process that extracts server code from client bundles while maintaining seamless calling patterns. On the client, calls become fetch requests to the server.

t1