JS Core SDK Overview

Introduction

@authrim/core is Authrim’s platform-agnostic authentication core library. It provides a complete implementation of OAuth 2.0 and OpenID Connect protocols, designed to run in any JavaScript environment — browsers, Node.js, React Native, Cloudflare Workers, and more.

This SDK is for Advanced Use Cases

@authrim/core is a low-level, platform-agnostic protocol library. It requires you to implement your own crypto, storage, and HTTP providers. Most developers should use a platform-specific SDK instead.

• For browser login flows (Passkey, Email Code, Social Login), use @authrim/web.
• For SvelteKit full-stack apps, use @authrim/sveltekit.
• For validating access tokens on your API server, use @authrim/server.

The core SDK handles:

• Authorization Code Flow with PKCE
• Silent Authentication
• Device Authorization Grant (RFC 8628)
• Token management with automatic refresh
• Session management and logout
• DPoP (RFC 9449), PAR (RFC 9126), JAR (RFC 9101), JARM
• OIDC Discovery
• Token Exchange (RFC 8693), Introspection (RFC 7662), Revocation (RFC 7009)

Architecture

The Authrim SDK follows a layered architecture with @authrim/core at the foundation:

flowchart TB
    app["Application Code"]
    subgraph sdks["Platform SDKs"]
        direction LR
        web["@authrim/web
(Browser)"]
        server["@authrim/server
(Node.js)"]
        kit["@authrim/sveltekit"]
    end
    core["@authrim/core
(OAuth 2.0 / OIDC protocol implementation)"]
    providers["Provider Interfaces
(CryptoProvider · Storage · HttpClient)"]
    app --> sdks --> core --> providers

• @authrim/core — Protocol logic, token management, security features. No platform dependencies.
• @authrim/web — Browser-specific implementation (popup/redirect login, Web Crypto API, localStorage).
• @authrim/server — Server-side implementation (Node.js crypto, session stores).
• @authrim/sveltekit — SvelteKit integration with hooks and stores.

Supported Specifications

Specification	RFC	Status
OAuth 2.0 Authorization Code + PKCE	RFC 6749 / RFC 7636	Supported
OpenID Connect Core 1.0	—	Supported
OIDC Discovery	—	Supported
Token Exchange	RFC 8693	Supported
Token Introspection	RFC 7662	Supported
Token Revocation	RFC 7009	Supported
Device Authorization Grant	RFC 8628	Supported
DPoP	RFC 9449	Supported
Pushed Authorization Requests	RFC 9126	Supported
JWT Secured Authorization Request (JAR)	RFC 9101	Supported
JWT Secured Authorization Response Mode (JARM)	—	Supported
RP-Initiated Logout	—	Supported

When to Use @authrim/core

Use @authrim/core directly when:

• You are building a custom platform adapter (e.g., React Native, Electron, Cloudflare Workers)
• You need full control over the authentication flow
• You want to implement custom storage or crypto providers

For most applications, prefer the platform-specific SDKs:

Platform	Package	When to Use
Browser (SPA)	@authrim/web	Single-page applications with popup or redirect login
Server (Node.js)	@authrim/server	Server-side rendering, API routes, backend services
SvelteKit	@authrim/sveltekit	SvelteKit applications with SSR/CSR

Quick Example

import { createAuthrimClient } from '@authrim/core';

const client = await createAuthrimClient({
  issuer: 'https://auth.example.com',
  clientId: 'my-app',
  crypto: myCryptoProvider,
  storage: myStorageProvider,
  http: myHttpClient,
  redirectUri: 'https://myapp.com/callback',
});

// Build authorization URL
const { url } = await client.buildAuthorizationUrl({
  redirectUri: 'https://myapp.com/callback',
  scope: 'openid profile email',
});

// After redirect, handle the callback
const tokens = await client.handleCallback(window.location.href);

// Get access token (auto-refreshes if expired)
const accessToken = await client.token.getAccessToken();

Next Steps

• Installation & Setup — Install the package and configure providers
• Authorization Code Flow — Implement the standard login flow
• Configuration Reference — All available configuration options