Installation & Quick Start
Installation
Section titled “Installation”npm / pnpm / yarn
Section titled “npm / pnpm / yarn”# npmnpm install @authrim/web
# pnpmpnpm add @authrim/web
# yarnyarn add @authrim/webThen import in your application:
import { createAuthrim } from '@authrim/web';CDN (Script Tag)
Section titled “CDN (Script Tag)”For quick prototyping or static HTML sites, load the SDK from a CDN:
<script src="https://unpkg.com/@authrim/web@latest/dist/authrim-web.umd.global.js"></script>The global AuthrimWeb object becomes available:
<script> const auth = await AuthrimWeb.createAuthrim({ issuer: 'https://auth.example.com', clientId: 'my-app', });</script>Prerequisites
Section titled “Prerequisites”Before using the SDK, you need:
- An Authrim instance — A running Authrim server (e.g.,
https://auth.example.com) - A client ID — Register your application in the Authrim Admin panel to get a
clientId - Allowed Origins — Add your app’s origin (e.g.,
https://myapp.com) to the client’s allowed origins - Callback URL (for social login / OAuth) — Register
https://myapp.com/callback.htmlas a redirect URI
Initialization
Section titled “Initialization”Create an Authrim client with createAuthrim():
import { createAuthrim } from '@authrim/web';
const auth = await createAuthrim({ issuer: 'https://auth.example.com', clientId: 'my-app',});The function is async because it initializes browser providers (crypto, storage, HTTP client) internally. Call it once at application startup and reuse the returned client.
With OAuth / OIDC
Section titled “With OAuth / OIDC”To enable OAuth features (popup login, silent auth, cross-domain SSO), set enableOAuth: true:
const auth = await createAuthrim({ issuer: 'https://auth.example.com', clientId: 'my-app', enableOAuth: true,});
// Now auth.oauth is availableawait auth.oauth.popup.login();Quick Start: Passkey Login
Section titled “Quick Start: Passkey Login”Here is a minimal example that implements Passkey sign-up and sign-in:
import { createAuthrim } from '@authrim/web';
// 1. Initializeconst auth = await createAuthrim({ issuer: 'https://auth.example.com', clientId: 'my-app',});
// 2. Check if already authenticatedconst isLoggedIn = await auth.session.isAuthenticated();if (isLoggedIn) { console.log('Already signed in');}
// 3. Sign up with Passkey (new user)const signUpResult = await auth.passkey.signUp({});if (signUpResult.error) { console.error('Sign up failed:', signUpResult.error.message);} else { console.log('Welcome!', signUpResult.data.user);}
// 4. Sign in with Passkey (existing user)const loginResult = await auth.passkey.login();if (loginResult.error) { console.error('Login failed:', loginResult.error.message);} else { console.log('Signed in:', loginResult.data.user);}
// 5. Sign outawait auth.signOut();Quick Start: Email Code
Section titled “Quick Start: Email Code”// Send codeif (sendResult.error) { console.error(sendResult.error.message);}
// Verify code (user enters the code they received)if (verifyResult.error) { console.error(verifyResult.error.message);} else { console.log('Authenticated:', verifyResult.data.user);}Quick Start: Social Login
Section titled “Quick Start: Social Login”// Popup login with Googleconst result = await auth.social.loginWithPopup('google');if (result.error) { console.error(result.error.message);} else { console.log('Signed in via Google:', result.data.user);}Storage Options
Section titled “Storage Options”By default, the SDK uses in-memory storage. This keeps browser-held state scoped to the current page lifecycle and clears it on reload/navigation. Opt into Web Storage only when your app needs reload or long-lived persistence:
const auth = await createAuthrim({ issuer: 'https://auth.example.com', clientId: 'my-app', storage: { prefix: 'authrim', // Key prefix (default: 'authrim') storage: 'sessionStorage', // default: 'memory' },});| Type | Persistence | Security | Use Case |
|---|---|---|---|
memory | Current page lifecycle | Most secure; no DOM storage | Default for strict browser-token flows |
sessionStorage | Tab session (survives reload, cleared on tab close) | Exposed to JS in the tab | Apps that need reload persistence |
localStorage | Persistent (survives browser restart) | Exposed to JS across tabs | General SDK/OAuth state only; not used for Direct Auth token persistence |
HTTPS Requirement
Section titled “HTTPS Requirement”The SDK requires HTTPS in production. WebAuthn (Passkey) does not work on insecure origins.
- Production: HTTPS required
- Development:
localhostand127.0.0.1are allowed over HTTP
Next Steps
Section titled “Next Steps”- Example App — Walk through a complete working example
- Passkey Authentication — Deep dive into WebAuthn flows
- Email Code Authentication — OTP-based passwordless login
- Social Login — Google, GitHub, Apple and more