コンテンツにスキップ

JS Core SDK Overview

このコンテンツはまだ日本語訳がありません。

@authrim/core is Authrim’s platform-agnostic authentication core library. It provides a complete implementation of OAuth 2.0 and OpenID Connect protocols, designed to run in any JavaScript environment — browsers, Node.js, React Native, Cloudflare Workers, and more.

The core SDK handles:

  • Authorization Code Flow with PKCE
  • Silent Authentication
  • Device Authorization Grant (RFC 8628)
  • Token management with automatic refresh
  • Session management and logout
  • DPoP (RFC 9449), PAR (RFC 9126), JAR (RFC 9101), JARM
  • OIDC Discovery
  • Token Exchange (RFC 8693), Introspection (RFC 7662), Revocation (RFC 7009)
  • Native SSO token exchange with device_secret
  • Tenant discovery helpers for common-entry login experiences
  • Canonical Step-Up, device inventory, and customer profile protected-resource clients

The Authrim SDK follows a layered architecture with @authrim/core at the foundation:

flowchart TB
    app["Application Code"]
    subgraph sdks["Platform SDKs"]
        direction LR
        web["@authrim/web<br>(Browser)"]
        server["@authrim/server<br>(Node.js)"]
        kit["@authrim/sveltekit"]
    end
    core["@authrim/core<br>(OAuth 2.0 / OIDC protocol implementation)"]
    providers["Provider Interfaces<br>(CryptoProvider · Storage · HttpClient)"]
    app --> sdks --> core --> providers
  • @authrim/core — Protocol logic, token management, security features. No platform dependencies.
  • @authrim/web — Browser-specific implementation (popup/redirect login, Web Crypto API, localStorage).
  • @authrim/server — Resource-server token validation, JWKS management, DPoP validation, and framework middleware.
  • @authrim/sveltekit — SvelteKit integration with hooks and stores.
SpecificationRFCStatus
OAuth 2.0 Authorization Code + PKCERFC 6749 / RFC 7636Supported
OpenID Connect Core 1.0Supported
OIDC DiscoverySupported
Token ExchangeRFC 8693Supported
Token IntrospectionRFC 7662Supported
Token RevocationRFC 7009Supported
Device Authorization GrantRFC 8628Supported
DPoPRFC 9449Supported
Pushed Authorization RequestsRFC 9126Supported
JWT Secured Authorization Request (JAR)RFC 9101Supported
JWT Secured Authorization Response Mode (JARM)Supported
RP-Initiated LogoutSupported
Native SSO token exchange profileSupported

Use @authrim/core directly when:

  • You are building a custom platform adapter (e.g., React Native, Electron, Cloudflare Workers)
  • You need full control over the authentication flow
  • You want to implement custom storage or crypto providers
  • You need low-level clients such as TenantDiscoveryClient, StepUpClient, DeviceInventoryClient, or CustomerProfileClient

For most applications, prefer the platform-specific SDKs:

PlatformPackageWhen to Use
Browser (SPA)@authrim/webSingle-page applications with popup or redirect login
Server (Node.js)@authrim/serverResource-server token validation, middleware, and server-side protected-resource helpers
SvelteKit@authrim/sveltekitSvelteKit applications with SSR/CSR
import { createAuthrimClient } from '@authrim/core';
const client = await createAuthrimClient({
issuer: 'https://auth.example.com',
clientId: 'my-app',
crypto: myCryptoProvider,
storage: myStorageProvider,
http: myHttpClient,
redirectUri: 'https://myapp.com/callback',
dpop: {
tokenRequests: true,
algorithm: 'ES256',
},
});
// Build authorization URL
const { url } = await client.buildAuthorizationUrl({
redirectUri: 'https://myapp.com/callback',
scope: 'openid profile email',
});
// After redirect, handle the callback
const tokens = await client.handleCallback(window.location.href);
// Get access token (auto-refreshes if expired)
const accessToken = await client.token.getAccessToken();

The initialized AuthrimClient exposes these main areas:

APIPurpose
buildAuthorizationUrl() / handleCallback()Authorization Code + PKCE
client.parPushed Authorization Requests
client.deviceFlowDevice Authorization Grant
client.tokenaccess/id token access, refresh, token exchange, Native SSO exchange, introspection, revocation
client.session / getUser() / logout()local/session API and logout helpers
client.dpopDPoP key/proof helpers when the crypto provider supports DPoP
client.stepUpcanonical Step-Up actions
client.customerProfilesprotected customer profile reads and delegated writes
TenantDiscoveryClienttenant resolution before choosing an issuer