@oaauth/sdk  ·  v1.0 stable

Ship auth in
an afternoon.

Drop-in OIDC for Node.js. PKCE, session management, token rotation, and role gates — production-ready out of the box.

3 min
to first login
5 routes
full OIDC flow
0 rounds
JWKS local verify
Developer quickstart
01
Install the SDK one-time

One package covers PKCE, token exchange, session management, and JWKS verification.

bash
npm install @oaauth/sdk
bash
yarn add @oaauth/sdk
bash
pnpm add @oaauth/sdk
02
Set environment variables per app

Grab your SDK key from the dashboard. Internal credentials are resolved server-side.

.env
SDK_KEY=sdk_live_your_key_here
SDK_GATEWAY_URL=https://auth-q03m.onrender.com
OIDC_REDIRECT_URI=http://localhost:4000/callback
Both sdk_live_ and sdk_test_ prefixes work. Use test keys during development.
03
Initialise the client src/auth.js

Three config values. OIDC endpoints are discovered automatically from your issuer.

javascript
const { AuthClient } = require('@oaauth/sdk');

const auth = new AuthClient({
  sdkKey:      process.env.SDK_KEY,
  gatewayUrl:  process.env.SDK_GATEWAY_URL,
  redirectUri: process.env.OIDC_REDIRECT_URI,
});

module.exports = auth;
typescript
import { AuthClient } from '@oaauth/sdk';

export const auth = new AuthClient({
  sdkKey:      process.env.SDK_KEY!,
  gatewayUrl:  process.env.SDK_GATEWAY_URL!,
  redirectUri: process.env.OIDC_REDIRECT_URI!,
});
typescript
import { AuthClient } from '@oaauth/sdk';

export const auth = new AuthClient({
  sdkKey:      Bun.env.SDK_KEY,
  gatewayUrl:  Bun.env.SDK_GATEWAY_URL,
  redirectUri: Bun.env.OIDC_REDIRECT_URI,
});
04
Add routes to your app integration

Five routes cover the full OIDC flow — login, callback, session, refresh, and logout.

// GET /login — redirect user to OIDC provider
app.get('/login', auth.login);
// auth.login is a pre-bound Express handler.
// It generates PKCE params, stores state, and redirects.
// GET /callback — exchange code, create session
app.get('/callback', async (req, res) => {
  const { accessToken, refreshToken, user }
    = await auth.handleCallbackAndCreateSession(req);

  res.cookie('refreshToken', refreshToken, {
    httpOnly: true, sameSite: 'lax'
  });
  res.json({ accessToken, user });
});
// Protect a single route — req.user is populated
app.get('/me', auth.protect(), (req, res) => {
  res.json(req.user); // { sub, email, name, roles }
});

// Optional auth — req.user is null if no token
app.get('/feed', auth.protect({ optional: true }), handler);

// Protect an entire router
const apiRouter = express.Router();
apiRouter.use(auth.protect());
app.use('/api', apiRouter);
// POST /refresh — pre-built handler
// Reads refreshToken from cookie or body.
// Rotates the token and sets the updated cookie.
app.post('/refresh', auth.refreshRoute());

// Custom cookie name:
app.post('/refresh', auth.refreshRoute({
  cookieName: 'rt'
}));
// POST /logout — pre-built handler
// Revokes session, clears cookie.
app.post('/logout', auth.logoutRoute());

// Force-logout all devices for a user:
await auth.revokeAllSessions(req.user.sub);
// requireRole() — compose after protect()
app.delete(
  '/admin/users/:id',
  auth.protect(),
  auth.requireRole('admin'),
  deleteUser
);

// Multiple allowed roles:
auth.requireRole(['admin', 'moderator'])
// GET /api/me/sessions — list active sessions
app.get('/api/me/sessions',
  auth.protect(),
  async (req, res) => {
    const sessions = await auth.getSessions(req.user.sub);
    res.json({ sessions });
  }
);
// POST /api/me/logout-all — revoke every session
app.post('/api/me/logout-all',
  auth.protect(),
  async (req, res) => {
    const result = await auth.revokeAllSessions(req.user.sub);
    res.clearCookie('refreshToken');
    res.json({ success: true, revoked: result.revoked });
  }
);
Tokens are verified locally via JWKS by default — no gateway round-trip per request. Set localVerify: false to always verify via gateway.
05
Full working server copy-paste

A complete Express server using the SDK — every route, proper error handling.

javascript — server.js
// Install: npm i express cookie-parser @oaauth/sdk dotenv
require('dotenv').config();
const express  = require('express');
const cookies  = require('cookie-parser');
const { AuthClient } = require('@oaauth/sdk');

const app  = express();
const auth = new AuthClient({
  sdkKey:      process.env.SDK_KEY,
  gatewayUrl:  process.env.SDK_GATEWAY_URL,
  redirectUri: process.env.OIDC_REDIRECT_URI,
});

app.use(express.json());
app.use(cookies());

app.get('/login',    auth.login);
app.get('/callback', async (req, res) => {
  try {
    const result = await auth.handleCallbackAndCreateSession(req);
    res.cookie('refreshToken', result.refreshToken,
      { httpOnly: true, sameSite: 'lax' });
    res.json({ accessToken: result.accessToken, user: result.user });
  } catch(e) { res.status(400).json({ error: e.message }); }
});
app.post('/refresh', auth.refreshRoute());
app.post('/logout',  auth.logoutRoute());
app.get('/me', auth.protect(), (req,res) => res.json(req.user));
app.listen(4001);
Install dependencies first: npm i express cookie-parser @oaauth/sdk dotenv
Getting started
Overview Installation Configuration
Core API
AuthClient auth.login handleCallback auth.protect() requireRole() refreshRoute() logoutRoute()
Sessions
getSessions() revokeAllSessions()
SDK Gateway
Token Verify Session Create Session Refresh Session Revoke
Overview

OAauth is an auth infrastructure layer for Node.js applications. It handles the full OIDC flow — PKCE generation, token exchange, session lifecycle, and JWT verification — so your application never touches raw credentials.

Tokens are verified locally via JWKS by default. This means zero network latency on protected routes. No gateway call happens per request unless you set localVerify: false.
How it works

When a user logs in, your server redirects them to the OIDC provider via auth.login. After the provider authenticates the user, it redirects back to your /callback route. The SDK exchanges the authorization code for tokens, creates an opaque session (stored in the SDK gateway), and returns an access token and refresh token to your application.

Your frontend holds the short-lived access token in memory. The refresh token lives in an httpOnly cookie, invisible to JavaScript. When the access token expires, your frontend calls /refresh and gets a new pair — silently, without the user noticing.

Installation

The SDK requires Node.js 18 or later.

bash
# Choose your package manager
npm install @oaauth/sdk
yarn add @oaauth/sdk
pnpm add @oaauth/sdk

You will also need cookie-parser if you are using Express, as the SDK reads and writes cookies via req.cookies.

Configuration

All configuration is passed to the AuthClient constructor. Sensitive values should come from environment variables — never hardcode credentials.

.env
SDK_KEY=sdk_live_your_key_here
SDK_GATEWAY_URL=https://auth-q03m.onrender.com
OIDC_REDIRECT_URI=http://localhost:4000/callback
KeyTypeRequiredDescription
SDK_KEYstringrequiredYour SDK key from the dashboard. Prefix sdk_live_ for production, sdk_test_ for development.
SDK_GATEWAY_URLstringrequiredBase URL of the OAauth SDK gateway service.
OIDC_REDIRECT_URIstringrequiredThe callback URL registered in your application. Must exactly match a URI registered in the dashboard.
AuthClient

The main class. Instantiate once and export — import the instance wherever you need auth logic.

javascript
const { AuthClient } = require('@oaauth/sdk');

const auth = new AuthClient({
  sdkKey:      process.env.SDK_KEY,
  gatewayUrl:  process.env.SDK_GATEWAY_URL,
  redirectUri: process.env.OIDC_REDIRECT_URI,

  // Optional — defaults shown
  localVerify: true,    // verify tokens via JWKS locally
  sessionTtl:  604800,  // refresh token TTL in seconds (7d)
});
auth.login

An Express request handler. Wire it directly as a route callback — no wrapper needed.

GET /login

When a user hits this route, the SDK generates a PKCE code verifier and challenge, stores state in a short-lived cookie, and redirects the user to the OIDC provider's authorization endpoint. No configuration beyond the initial AuthClient setup is required.

javascript
app.get('/login', auth.login);
handleCallbackAndCreateSession()

Exchanges the authorization code for tokens and creates a session in the SDK gateway. Returns the access token, refresh token, and user profile.

GET /callback
javascript
app.get('/callback', async (req, res) => {
  const { accessToken, refreshToken, user }
    = await auth.handleCallbackAndCreateSession(req);

  res.cookie('refreshToken', refreshToken, {
    httpOnly: true, sameSite: 'lax',
    maxAge: 7 * 24 * 60 * 60 * 1000
  });
  res.json({ accessToken, user });
});
Returns
FieldTypeDescription
accessTokenstringShort-lived JWT. Pass as Authorization: Bearer <token>. Expires in 15 minutes.
refreshTokenstringOpaque long-lived token. Store in an httpOnly cookie. Used to rotate access tokens.
userobjectOIDC user claims: { sub, email, name, roles }
auth.protect()

Middleware factory that validates the access token on each request and populates req.user. Tokens are verified locally by default — no network call required.

javascript
// Require authentication
app.get('/me', auth.protect(), (req, res) => {
  res.json(req.user); // { sub, email, name, roles }
});

// Optional — req.user is null for unauthenticated requests
app.get('/feed', auth.protect({ optional: true }), handler);

// Apply to an entire router
router.use(auth.protect());
OptionTypeDefaultDescription
optionalbooleanfalseWhen true, unauthenticated requests pass through with req.user = null instead of returning 401.
requireRole()

Middleware that checks whether req.user.roles includes the required role. Must be composed after auth.protect().

javascript
// Single role
app.delete(
  '/admin/users/:id',
  auth.protect(),
  auth.requireRole('admin'),
  deleteUser
);

// Multiple roles — user must have at least one
auth.requireRole(['admin', 'moderator'])
refreshRoute()

A pre-built Express route handler that reads the refresh token from an httpOnly cookie (or request body), rotates the token pair, and sets the new cookie.

POST /refresh
javascript
// Default — reads from cookie named 'refreshToken'
app.post('/refresh', auth.refreshRoute());

// Custom cookie name
app.post('/refresh', auth.refreshRoute({ cookieName: 'rt' }));
logoutRoute()

A pre-built handler that revokes the current session in the SDK gateway and clears the refresh token cookie.

POST /logout
javascript
app.post('/logout', auth.logoutRoute());
getSessions()

Fetches all active sessions for a given user from the SDK gateway. Useful for building a "logged-in devices" UI.

javascript
app.get('/api/me/sessions',
  auth.protect(),
  async (req, res) => {
    const sessions = await auth.getSessions(req.user.sub);
    res.json({ sessions });
  }
);
Session object
FieldTypeDescription
sessionIdstringUnique session identifier.
deviceNamestringInferred from user-agent string.
ipstringIP address at time of login.
lastUsedAtstringISO 8601 timestamp of the last token use.
expiresAtstringISO 8601 expiry timestamp.
revokeAllSessions()

Immediately invalidates every active session for a user. All devices are logged out. Commonly used for security events or account deletion.

javascript
app.post('/api/me/logout-all',
  auth.protect(),
  async (req, res) => {
    const result = await auth.revokeAllSessions(req.user.sub);
    res.clearCookie('refreshToken');
    res.json({ success: true, revoked: result.revoked });
  }
);
SDK Gateway — Token Verify

Directly call the SDK gateway to verify an access token and decode its payload.

POST /sdk/token/verify
HeaderRequiredDescription
x-sdk-keyrequiredYour SDK key.
BodyTypeDescription
tokenstringThe access token JWT to verify.
SDK Gateway — Session Create

Manually create a session for a verified user identity. Useful for custom auth flows or migration scenarios.

POST /sdk/session/create
BodyTypeRequired
substringrequired
emailstringrequired
namestringrequired
SDK Gateway — Session Refresh

Rotate a refresh token. Returns a new access token and refresh token pair. The old refresh token is invalidated immediately.

POST /sdk/session/refresh
SDK Gateway — Session Revoke

Revoke a single session by refresh token, or all sessions for a user by userId.

POST /sdk/session/logout
POST /sdk/session/logout-all
OAauth
Welcome back
Sign in to your developer account

No account? Create one free

OAauth
Create account
Start building with OAauth today

Already have an account? Sign in

Dashboard
Your applications and their status
0
applications
total logins
active sdk keys
Your applications
Loading...
Applications
Each app has independent credentials
Loading...
Loading...
Request logs
TimeMethodEndpointAppStatusLatency
Connect your logging middleware to populate live data
Account settings
Profile
Developer token
JWT token

Pass as Authorization: Bearer <token> to the portal API.

Danger zone
Token management
Token Tools

Inspect, verify, and rotate tokens. All SDK gateway endpoints accessible here.

Verify access token POST /sdk/token/verify

Paste an access token to verify its signature and decode the payload.

Create session POST /sdk/session/create
Refresh session POST /sdk/session/refresh
Revoke session POST /sdk/session/logout
List sessions GET /sdk/session/list/:userId