Best Practice how to fetch data after page loaded

Hi community,

I’m currently working on an Next.ja site with a blog integration that fetches data from Prismic. The initial page data is page by using getStaticProps() at page generation. On the page is also a option to load more posts by clicking on a button (lazy loading). What’s the best way to fetch the data from Primic after the button has been clicked?

At the moment the button triggers a function that runs a Prismic query via the Prismic Client. I think that this is not the best solution because the user can afterwards see the request with repo name etc. in the network tab of the dev tools. If my Prismic API is set to public anyone can query the API. When setting it to private the user can also see the secret token because the request is visible in the network tab.

What do you mean is the best and most secure way to handle this?
Thanks in advance for your help!

Hello @feicht.marco

Thanks for reaching out to us.

It is true. If you set your repo to the public, the content will be public. Anyone might be able to query content from your repo. But not really anything else. Meaning this doesn't imply that it is a security risk because, even if someone has the endpoint, he will not be able to modify anything without access to the repository with the owner's permission.

So if your repository is set to private It is not possible to hide access-token on the client side. But then there is no issue in sharing the URL internally because the token you create in your setting has read-only permission to access your content. Currently, Prismic doesn't have a content Write API.

I hope it answered your question, let me know if you have any further questions related to it.


Hi @Priyanka ,

Thanks for your answer.

So, there is only the option to query the repo and modifying is disabled?

In the section "Permanent Access Tokens" I have generated a token for my Next.js site. What permissions do I have when using this token (query, update, delete)?


You can only query your content with permanent access tokens if your repo is private.

I found one article to set up a server-side API proxy to hide your access tokens on client-side queries. Here is an article that explains the basics of what this is:

It might be helpful for you.

Let me know if you have any further questions.


1 Like

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.