The createAuthrim() function accepts an AuthrimConfig object:
import { createAuthrim } from ' @authrim/web ' ;
const auth = await createAuthrim ( {
issuer: ' https://auth.example.com ' ,
browserPublicClientMode: ' strict ' ,
browserRefreshTokenPolicy: ' disabled ' ,
silentLoginRedirectUri: ' https://myapp.com/callback.html ' ,
Type Required Description stringYes Authrim IdP URL
The base URL of your Authrim server. The SDK appends well-known paths for discovery, token endpoints, and Direct Auth endpoints.
issuer: ' https://auth.example.com '
Type Required Description stringYes OAuth client ID
The client ID registered in the Authrim Admin panel.
clientId: ' my-application '
Type Default Description booleanfalseEnable OAuth/OIDC features
When true, the auth.oauth namespace becomes available, providing:
auth.oauth.popup.login() — Popup-based OAuth login
auth.oauth.silentAuth.check() — Iframe-based silent authentication
auth.oauth.trySilentLogin() — Top-level navigation SSO
auth.oauth.handleSilentCallback() — SSO callback handler
auth.oauth.buildAuthorizationUrl() — Manual authorization URL building
auth.oauth.handleCallback() — Manual callback handling
// Without OAuth (default)
const auth = await createAuthrim ( {
issuer: ' https://auth.example.com ' ,
// auth.oauth is undefined
const authWithOAuth = await createAuthrim ( {
issuer: ' https://auth.example.com ' ,
// authWithOAuth.oauth is available
Note
Direct Auth methods (passkey, emailCode, social, session) are always available regardless of enableOAuth.
Type Default Description string— Tenant id used to scope browser DPoP key material
Set this when your app knows the active tenant before creating the SDK client. It prevents browser-held DPoP keys from being reused across tenants for the same issuer and client id.
Type Default Description StorageOptionsSee below Storage configuration
interface StorageOptions {
/** Key prefix for stored items (default: 'authrim') */
/** Storage backend (default: 'memory') */
storage ?: ' memory ' | ' sessionStorage ' | ' localStorage ' ;
Type Scope Persistence Security 'memory'Current page lifecycle Cleared on reload/navigation Most secure (no DOM storage) 'sessionStorage'Current tab Survives reload, cleared on tab close Accessible to JS in the tab 'localStorage'All tabs Persistent across browser restarts Accessible to JS across tabs
Note
localStorage is accepted by the general browser storage provider, for example for core/OAuth state. Direct Auth access and refresh tokens are only persisted in memory or, when explicitly configured, sessionStorage.
// Default / strict security
storage: { storage: ' memory ' }
storage: { storage: ' sessionStorage ' }
// Persistent general storage; Direct Auth tokens still use memory
// unless sessionStorage is selected.
storage: { storage: ' localStorage ' , prefix: ' myapp-auth ' }
Type Default Description 'token' | 'cookie''token'Browser session profile
@authrim/web defaults to the browser-token profile. Use profile: 'cookie' only when your app is integrated with a same-origin token-handler or BFF that owns an HttpOnly cookie session. profile: 'auto' is reserved for framework adapters such as @authrim/sveltekit; do not use it directly with @authrim/web.
const auth = await createAuthrim ( {
issuer: ' https://auth.example.com ' ,
Type Default Description 'strict' | 'cookie_fallback' | 'legacy''strict'Browser public-client security mode
Custom browser SDK clients default to strict. Hosted or BFF-style integrations may select cookie_fallback at the integration boundary.
Type Default Description 'disabled' | 'dpop_bound''disabled'Browser refresh token policy
Use dpop_bound only when the browser can keep stable non-extractable DPoP key material for this issuer and client.
Type Default Description { cookieName?: string; headerName?: string }{ cookieName: 'authrim_csrf', headerName: 'X-Authrim-CSRF' }Double-submit CSRF integration for cookie profile requests
Type Default Description string${window.location.origin}/callback.htmlRedirect URI for silent SSO
Used by auth.oauth.trySilentLogin() and auth.oauth.handleSilentCallback(). Must be a page that calls handleSilentCallback().
silentLoginRedirectUri: ' https://myapp.com/auth/callback '
The Authrim return type is conditional based on enableOAuth:
// enableOAuth: false (or omitted)
const auth = await createAuthrim ( {
auth . passkey // ✅ Available
auth . emailCode // ✅ Available
auth . social // ✅ Available
auth . session // ✅ Available
auth . oauth // ❌ undefined
// Type: AuthrimWithOAuth
const auth = await createAuthrim ( {
auth . passkey // ✅ Available
auth . oauth // ✅ Available
Namespace Description auth.passkeyPasskey (WebAuthn) authentication auth.emailCodeEmail code (OTP) authentication auth.socialSocial provider authentication auth.sessionSession management auth.handoffVerify Smart Handoff SSO tokens auth.stepUpStart, resend, and complete step-up challenges auth.customerProfilesDelegated/elevated customer profile reads and writes auth.devicesList, rename, and unlink trusted devices auth.fetch()Fetch protected resources with token or cookie profile behavior auth.signInSign-in shortcuts auth.signUpSign-up shortcuts auth.signOut()Sign out auth.signOutApplicationGroup()Sign out the current application group auth.signOutAll()Global sign-out auth.on()Event subscription
Namespace Description auth.oauth.popupPopup-based OAuth login auth.oauth.silentAuthIframe-based silent authentication auth.oauth.trySilentLogin()Top-level navigation SSO auth.oauth.handleSilentCallback()SSO callback handler auth.oauth.buildAuthorizationUrl()Manual authorization URL auth.oauth.handleCallback()Manual callback handling
The SDK provides shortcut methods for common operations:
// Shortcut: auth.signIn.passkey()
// Equivalent: auth.passkey.login()
const { data , error } = await auth . signIn . passkey ();
// Shortcut: auth.signIn.social('google')
// Equivalent: auth.social.loginWithPopup('google')
const { data , error } = await auth . signIn . social ( ' google ' );
// Shortcut: auth.signUp.passkey({ email })
// Equivalent: auth.passkey.signUp({ email })
const auth = await createAuthrim ( {
issuer: ' https://auth.example.com ' ,
const auth = await createAuthrim ( {
issuer: ' https://auth.example.com ' ,
storage: ' sessionStorage ' ,
browserPublicClientMode: ' strict ' ,
browserRefreshTokenPolicy: ' disabled ' ,
cookieName: ' authrim_csrf ' ,
headerName: ' X-Authrim-CSRF ' ,
silentLoginRedirectUri: ' https://myapp.com/callback ' ,