Skip to content

Configuration Reference

The createAuthrim() function accepts an AuthrimConfig object:

import { createAuthrim } from '@authrim/web';
const auth = await createAuthrim({
// Required
issuer: 'https://auth.example.com',
clientId: 'my-app',
// Optional
tenantId: 'tenant_123',
enableOAuth: false,
storage: { ... },
profile: 'token',
browserPublicClientMode: 'strict',
browserRefreshTokenPolicy: 'disabled',
silentLoginRedirectUri: 'https://myapp.com/callback.html',
});
TypeRequiredDescription
stringYesAuthrim IdP URL

The base URL of your Authrim server. The SDK appends well-known paths for discovery, token endpoints, and Direct Auth endpoints.

issuer: 'https://auth.example.com'
TypeRequiredDescription
stringYesOAuth client ID

The client ID registered in the Authrim Admin panel.

clientId: 'my-application'
TypeDefaultDescription
booleanfalseEnable OAuth/OIDC features

When true, the auth.oauth namespace becomes available, providing:

  • auth.oauth.popup.login() — Popup-based OAuth login
  • auth.oauth.silentAuth.check() — Iframe-based silent authentication
  • auth.oauth.trySilentLogin() — Top-level navigation SSO
  • auth.oauth.handleSilentCallback() — SSO callback handler
  • auth.oauth.buildAuthorizationUrl() — Manual authorization URL building
  • auth.oauth.handleCallback() — Manual callback handling
// Without OAuth (default)
const auth = await createAuthrim({
issuer: 'https://auth.example.com',
clientId: 'my-app',
});
// auth.oauth is undefined
// With OAuth
const authWithOAuth = await createAuthrim({
issuer: 'https://auth.example.com',
clientId: 'my-app',
enableOAuth: true,
});
// authWithOAuth.oauth is available
TypeDefaultDescription
stringTenant id used to scope browser DPoP key material

Set this when your app knows the active tenant before creating the SDK client. It prevents browser-held DPoP keys from being reused across tenants for the same issuer and client id.

TypeDefaultDescription
StorageOptionsSee belowStorage configuration
interface StorageOptions {
/** Key prefix for stored items (default: 'authrim') */
prefix?: string;
/** Storage backend (default: 'memory') */
storage?: 'memory' | 'sessionStorage' | 'localStorage';
}
TypeScopePersistenceSecurity
'memory'Current page lifecycleCleared on reload/navigationMost secure (no DOM storage)
'sessionStorage'Current tabSurvives reload, cleared on tab closeAccessible to JS in the tab
'localStorage'All tabsPersistent across browser restartsAccessible to JS across tabs
// Default / strict security
storage: { storage: 'memory' }
// Reload persistence
storage: { storage: 'sessionStorage' }
// Persistent general storage; Direct Auth tokens still use memory
// unless sessionStorage is selected.
storage: { storage: 'localStorage', prefix: 'myapp-auth' }
TypeDefaultDescription
'token' | 'cookie''token'Browser session profile

@authrim/web defaults to the browser-token profile. Use profile: 'cookie' only when your app is integrated with a same-origin token-handler or BFF that owns an HttpOnly cookie session. profile: 'auto' is reserved for framework adapters such as @authrim/sveltekit; do not use it directly with @authrim/web.

const auth = await createAuthrim({
issuer: 'https://auth.example.com',
clientId: 'my-app',
profile: 'token',
});
TypeDefaultDescription
'strict' | 'cookie_fallback' | 'legacy''strict'Browser public-client security mode

Custom browser SDK clients default to strict. Hosted or BFF-style integrations may select cookie_fallback at the integration boundary.

TypeDefaultDescription
'disabled' | 'dpop_bound''disabled'Browser refresh token policy

Use dpop_bound only when the browser can keep stable non-extractable DPoP key material for this issuer and client.

TypeDefaultDescription
{ cookieName?: string; headerName?: string }{ cookieName: 'authrim_csrf', headerName: 'X-Authrim-CSRF' }Double-submit CSRF integration for cookie profile requests
TypeDefaultDescription
string${window.location.origin}/callback.htmlRedirect URI for silent SSO

Used by auth.oauth.trySilentLogin() and auth.oauth.handleSilentCallback(). Must be a page that calls handleSilentCallback().

silentLoginRedirectUri: 'https://myapp.com/auth/callback'

The Authrim return type is conditional based on enableOAuth:

// enableOAuth: false (or omitted)
// Type: AuthrimBase
const auth = await createAuthrim({
issuer: '...',
clientId: '...',
});
auth.passkey // ✅ Available
auth.emailCode // ✅ Available
auth.social // ✅ Available
auth.session // ✅ Available
auth.oauth // ❌ undefined
// enableOAuth: true
// Type: AuthrimWithOAuth
const auth = await createAuthrim({
issuer: '...',
clientId: '...',
enableOAuth: true,
});
auth.passkey // ✅ Available
auth.oauth // ✅ Available
NamespaceDescription
auth.passkeyPasskey (WebAuthn) authentication
auth.emailCodeEmail code (OTP) authentication
auth.socialSocial provider authentication
auth.sessionSession management
auth.handoffVerify Smart Handoff SSO tokens
auth.stepUpStart, resend, and complete step-up challenges
auth.customerProfilesDelegated/elevated customer profile reads and writes
auth.devicesList, rename, and unlink trusted devices
auth.fetch()Fetch protected resources with token or cookie profile behavior
auth.signInSign-in shortcuts
auth.signUpSign-up shortcuts
auth.signOut()Sign out
auth.signOutApplicationGroup()Sign out the current application group
auth.signOutAll()Global sign-out
auth.on()Event subscription
NamespaceDescription
auth.oauth.popupPopup-based OAuth login
auth.oauth.silentAuthIframe-based silent authentication
auth.oauth.trySilentLogin()Top-level navigation SSO
auth.oauth.handleSilentCallback()SSO callback handler
auth.oauth.buildAuthorizationUrl()Manual authorization URL
auth.oauth.handleCallback()Manual callback handling

The SDK provides shortcut methods for common operations:

// Shortcut: auth.signIn.passkey()
// Equivalent: auth.passkey.login()
const { data, error } = await auth.signIn.passkey();
// Shortcut: auth.signIn.social('google')
// Equivalent: auth.social.loginWithPopup('google')
const { data, error } = await auth.signIn.social('google');
// Shortcut: auth.signUp.passkey({ email })
// Equivalent: auth.passkey.signUp({ email })
const { data, error } = await auth.signUp.passkey({ email: '[email protected]' });
const auth = await createAuthrim({
issuer: 'https://auth.example.com',
clientId: 'my-app',
});
const auth = await createAuthrim({
issuer: 'https://auth.example.com',
clientId: 'my-app',
enableOAuth: true,
tenantId: 'tenant_123',
storage: {
prefix: 'myapp',
storage: 'sessionStorage',
},
profile: 'token',
browserPublicClientMode: 'strict',
browserRefreshTokenPolicy: 'disabled',
csrf: {
cookieName: 'authrim_csrf',
headerName: 'X-Authrim-CSRF',
},
silentLoginRedirectUri: 'https://myapp.com/callback',
});