Skip to content

Configuration & Advanced

import { createAuthrim } from '@authrim/sveltekit';
const auth = await createAuthrim({
issuer: 'https://auth.example.com',
clientId: 'my-app',
authMode: 'server',
storage: {
prefix: 'authrim',
storage: 'memory',
},
});
OptionTypeDefaultDescription
issuerstringrequiredAuthrim server URL
clientIdstringrequiredOAuth client ID
tenantIdstringTenant id used to scope browser DPoP key material
authMode'server' | 'browser''server'Token handling mode
profile'auto' | 'token' | 'cookie''auto'Framework-level session profile
serverSessionServerMediatedSessionOptionsSee belowSame-origin cookie session endpoints
csrf{ cookieName?: string; headerName?: string }See belowDouble-submit CSRF settings for cookie requests
storageStorageOptions{}Client-side storage settings
browserPublicClientMode'strict' | 'cookie_fallback' | 'legacy'Mode-dependentBrowser public-client security mode
browserRefreshTokenPolicy'disabled' | 'dpop_bound''disabled'Browser refresh token policy
enableOAuthbooleanfalseEnable OAuth/OIDC namespace
silentLoginRedirectUristring{origin}/callback.htmlOAuth silent-login callback URI
ModeBehaviorUse Case
'server'Direct Auth artifacts are redeemed through same-origin SvelteKit endpoints. OAuth/OIDC tokens stay out of browser JS and the app uses an HttpOnly cookie session.Default for SvelteKit apps
'browser'The browser SDK holds OAuth/OIDC token material directly.Explicit browser-token integrations

In server mode, profile: 'auto' resolves to the cookie profile. In browser mode, use profile: 'token' when you intentionally need browser-held token flows.

OptionTypeDefaultDescription
exchangeEndpointstring'/authrim/session/exchange'Redeems Direct Auth artifacts and sets the HttpOnly session cookie
sessionEndpointstring'/authrim/session'Returns the current cookie-backed session
logoutEndpointstring'/authrim/session/logout'Clears the cookie-backed session
checkOnMountbooleanfalseAllows AuthProvider to fetch the cookie session on mount when no SSR session was provided
credentialsRequestCredentials'same-origin'Credentials mode for same-origin session requests
OptionTypeDefaultDescription
cookieNamestring'authrim_csrf'Double-submit CSRF cookie name
headerNamestring'X-Authrim-CSRF'Header copied into cookie-profile state-changing requests
OptionTypeDefaultDescription
prefixstring'authrim'Key prefix for storage entries
storageStorageType'memory'Storage backend
StorageTypeBehavior
'memory'In-memory only — lost on page refresh
'sessionStorage'Per-tab — cleared when tab closes
'localStorage'Persistent — shared across tabs

The SDK uses Svelte context to share the auth client across components.

AuthProvider calls setAuthContext(auth) internally. For manual setup:

import { setAuthContext } from '@authrim/sveltekit';
// Inside a Svelte component's initialization
setAuthContext(auth);
import { getAuthContext, hasAuthContext } from '@authrim/sveltekit';
// Get auth client (throws if not set)
const auth = getAuthContext();
// Check if context exists
if (hasAuthContext()) {
const auth = getAuthContext();
}
// ✅ Correct — called at component init
const auth = getAuthContext();
onMount(() => {
// ✅ Use auth here
auth.session.get();
});
function handleClick() {
// ✅ Use auth here
auth.passkey.login();
}
// ❌ Wrong — getAuthContext inside onMount
onMount(() => {
const auth = getAuthContext(); // Throws!
});

For advanced customization, you can override the HTTP client, crypto provider, and storage:

import {
BrowserHttpClient,
BrowserCryptoProvider,
createBrowserStorage,
} from '@authrim/sveltekit';
ProviderPurpose
BrowserHttpClientHTTP requests to Authrim server
BrowserCryptoProviderPKCE code verifier/challenge generation
createBrowserStorage()Client-side storage abstraction

When the auth client is no longer needed, call destroy() to clean up:

auth.destroy();

This removes event listeners and clears timers. AuthProvider calls this automatically on component destroy.

If you’re not using AuthProvider, you must call destroy() manually:

<script lang="ts">
import { onDestroy } from 'svelte';
import { getAuthContext } from '@authrim/sveltekit';
const auth = getAuthContext();
onDestroy(() => {
auth.destroy();
});
</script>

All types are exported from @authrim/sveltekit:

import type {
// Config
AuthrimConfig,
StorageOptions,
StorageType,
// Client
AuthrimClient,
// Response
AuthResponse,
AuthError,
AuthSessionData,
// Namespaces
PasskeyNamespace,
EmailCodeNamespace,
SocialNamespace,
SessionNamespace,
ConsentNamespace,
DeviceFlowNamespace,
CIBANamespace,
LoginChallengeNamespace,
// Stores
AuthStores,
AuthLoadingState,
// Events
AuthEventName,
AuthEventPayloads,
AuthEventHandler,
// Core re-exports
Session,
User,
SocialProvider,
PasskeyLoginOptions,
PasskeySignUpOptions,
PasskeyRegisterOptions,
PasskeyCredential,
EmailCodeSendOptions,
EmailCodeSendResult,
EmailCodeVerifyOptions,
SocialLoginOptions,
} from '@authrim/sveltekit';

Server types:

import type {
ServerAuthContext,
ServerSessionManager,
ServerSessionManagerOptions,
AuthHandleOptions,
AuthLoadOptions,
} from '@authrim/sveltekit/server';

AuthProvider uses synchronous SSR sync (_syncFromSSR()) to prevent hydration mismatch. The store values are set before the first render, so $isAuthenticated is correct immediately.

createAuthrim() uses browser APIs (fetch, crypto, localStorage). Always call it inside onMount or with a dynamic import:

// ✅ Correct — inside onMount
onMount(async () => {
const { getAuth } = await import('$lib/auth');
auth = await getAuth();
});
// ❌ Wrong — runs on server too
import { getAuth } from '$lib/auth';
const auth = await getAuth(); // Fails on server

Use PUBLIC_ prefix for client-accessible env vars:

Terminal window
PUBLIC_AUTHRIM_ISSUER=https://auth.example.com
PUBLIC_AUTHRIM_CLIENT_ID=my-app

Access via import.meta.env.PUBLIC_AUTHRIM_ISSUER in client code.

The SDK components use Svelte 4 syntax internally but work in both Svelte 4 and 5 projects. Here’s a syntax mapping for your app code:

FeatureSvelte 5 (Recommended)Svelte 4
Propslet { data } = $props()export let data
Statelet count = $state(0)let count = 0
Derivedconst doubled = $derived(count * 2)$: doubled = count * 2
Effects$effect(() => { ... })$: { ... }
Events (listen)onclick={handler}on:click={handler}
Events (dispatch)Callback propscreateEventDispatcher()
Slots (default){@render children()}<slot />
Slots (named){#snippet name()}{/snippet}<div slot="name">
Slot propsSnippet paramslet:propName

SDK components dispatch events using Svelte 4’s createEventDispatcher. In Svelte 5 projects, both syntaxes work:

<!-- Both work in Svelte 5 -->
<SignInButton on:success={handleSuccess} />
<SignInButton onsuccess={handleSuccess} />

SDK components use <slot> and <slot name="...">. In Svelte 5 projects, both syntaxes work:

<!-- Svelte 5 snippet syntax -->
<ProtectedRoute>
<p>Protected content</p>
{#snippet loading()}
<p>Loading...</p>
{/snippet}
</ProtectedRoute>
<!-- Svelte 4 slot syntax (also works in Svelte 5) -->
<ProtectedRoute>
<p>Protected content</p>
<p slot="loading">Loading...</p>
</ProtectedRoute>

”getContext must be called during component initialization”

Section titled “”getContext must be called during component initialization””

getAuthContext() was called outside component initialization. Move it to the top level of your <script> block.

”Cannot read properties of null (reading ‘passkey’)”

Section titled “”Cannot read properties of null (reading ‘passkey’)””

The auth client is not initialized. Ensure AuthProvider wraps your component tree and the client is created before rendering.

Events automatically update stores. If stores don’t update, check that:

  1. You’re using the same AuthrimClient instance (singleton pattern)
  2. AuthProvider is at the root of your component tree
  3. You haven’t created a second client instance

Ensure you pass initialSession and initialUser to AuthProvider:

<AuthProvider
{auth}
initialSession={data.auth?.session ?? null}
initialUser={data.auth?.user ?? null}
>
  1. Register your callback URL in the Authrim Admin panel
  2. Ensure callbackPaths includes your callback route in createAuthHandle()
  3. Check that the callback page calls auth.social.handleCallback()

Check your createAuthHandle() options:

  • secure: true requires HTTPS (use false for local development)
  • sameSite: 'strict' blocks cross-origin redirects (use 'lax' for OAuth flows)
  • httpOnly: true prevents JavaScript access (recommended)