Eazip
Eazip Cloud

Backend-created sessions

Create the session on your server; hand the browser only the session handle.

For very large or sensitive exports, you may not want the full source URL list to ever reach the browser — a report with thousands of internal signed links, say, or a listing your users shouldn't be able to read directly out of your JS bundle. cloud supports this: instead of files + publicKey, pass a createSession callback that asks your own backend to create the Public Session, and hand the SDK only the resulting handle.

const job = startZip({
  strategy: 'cloud',
  zipName: 'export.zip',
  filesTotal: 50_000, // optional — an initial count for UI before the first poll
  createSession: async ({ signal, zipName, mode, failOnUrlError, maxZipSizeBytes }) => {
    const response = await fetch('/api/exports/123/eazip-session', {
      method: 'POST',
      credentials: 'include',
      headers: { 'Content-Type': 'application/json' },
      signal,
      body: JSON.stringify({ zipName, mode }),
    });
    if (!response.ok) throw new Error('Failed to create Eazip session');
    return response.json(); // { sessionId, clientSecret, apiBaseUrl? }
  },
});

The same option exists on @eazip/react's download()useEazip() documents the exact shape (EazipCloudSessionDownloadOptions).

How it fits together

Your backend endpoint (/api/exports/123/eazip-session above) is where the real work happens — it holds the full URL list and whatever server-side credential the Eazip API requires to create a session on your behalf, and returns { sessionId, clientSecret, apiBaseUrl? }. None of that is part of this SDK: creating a session with a secret, server-side credential is explicitly out of scope for @eazip/core and @eazip/react, which stay browser-first by design. Once your endpoint returns the handle, createSession's job is done — the SDK takes over exactly as if it had created the session itself: it polls to completion, populates job.getSnapshot().session, and drives download()/downloadAll() off the same signed links.

publicKey and files aren't used on this path — the type forbids passing them alongside createSession — because your backend is the thing authorized to create the session, not the browser.

Persistence

@eazip/react persists backend-created sessions the same way as any other cloud task — sessionId + clientSecret, enough to resumeZip() after a reload — with one difference: because the original request lived in a closure your backend executed, not a plain files array, it isn't replayed. A restored backend-created task can resume an in-progress job, but after a reload retry() is no longer available for it — trigger a fresh download() call instead. (During the original session, retry() works as usual: the store still holds your createSession callback.) See Persistence & reload-resume.