Skip to content
Authrim

Session Management

Overview

After a user authenticates (via Passkey, Email Code, Social Login, or OAuth), the SDK creates a session. The auth.session namespace provides methods to query, validate, refresh, and manage that session.

Getting the Current Session

Retrieve the current session and user data:

const { data, error } = await auth.session.get();


if (error) {
  console.error('Session error:', error.message);
  return;
}


if (data === null) {
  console.log('Not authenticated');
  return;
}


console.log('User:', data.user);
console.log('Session:', data.session);

Response Types

interface AuthSessionData {
  session: Session;
  user: User;
}


interface Session {
  id: string;
  userId: string;
  createdAt: string;
  expiresAt: string;
}


interface User {
  id: string;        // or sub
  email?: string;
  name?: string;
  nickname?: string;
  email_verified?: boolean;
  // ...additional claims
}

Checking Authentication Status

A lightweight check — does not fetch full user data:

const isLoggedIn = await auth.session.isAuthenticated();


if (isLoggedIn) {
  // Show authenticated UI
} else {
  // Show login button
}

This is faster than session.get() because it only checks session validity without fetching user information.

Getting User Information

Fetch the current user’s profile:

const user = await auth.session.getUser();


if (user) {
  console.log('Email:', user.email);
  console.log('Name:', user.name);
  console.log('Verified:', user.email_verified);
} else {
  console.log('Not authenticated');
}

Validating the Session

Check if the current session is still valid on the server:

const isValid = await auth.session.validate();


if (!isValid) {
  // Session expired or revoked — redirect to login
  window.location.href = '/login';
}

validate() makes a server call, so use it when you need to confirm session validity (e.g., before a sensitive operation). For routine checks, isAuthenticated() is sufficient.

Refreshing the Session

Manually refresh the session to extend its lifetime:

const session = await auth.session.refresh();


if (session) {
  console.log('Session refreshed. New expiry:', session.expiresAt);
} else {
  console.log('Refresh failed — session may have expired');
}

The SDK handles automatic session refresh internally, so you typically do not need to call this manually. Use it when you need to force a refresh (e.g., after a user updates their profile).

Clearing the Cache

The SDK caches session and user data in memory. Clear the cache to force a fresh fetch:

auth.session.clearCache();


// Next call to get() or isAuthenticated() will hit the server
const { data } = await auth.session.get();

Signing Out

End the user’s session:

await auth.signOut();

This calls the Authrim server’s logout endpoint and clears local session state. The auth:logout event is emitted after sign-out completes.

Sign Out Options

interface SignOutOptions {
  /** Redirect after logout (RP-initiated logout) */
  redirectUri?: string;
}


// Redirect to a specific page after logout
await auth.signOut({
  redirectUri: 'https://myapp.com/goodbye',
});

Page Load Pattern

A common pattern for page initialization:

const auth = await createAuthrim({
  issuer: 'https://auth.example.com',
  clientId: 'my-app',
});


async function initPage() {
  const { data } = await auth.session.get();


  if (!data) {
    // Not authenticated — show login UI
    showLoginButton();
    return;
  }


  // Authenticated — show user content
  showUserDashboard(data.user, data.session);
}


initPage();

Protected Page Pattern

Redirect unauthenticated users to login:

async function requireAuth() {
  const isLoggedIn = await auth.session.isAuthenticated();


  if (!isLoggedIn) {
    window.location.href = '/login';
    return null;
  }


  const { data } = await auth.session.get();
  return data;
}


// Use in your page
const sessionData = await requireAuth();
if (!sessionData) return; // Redirect happening


// Proceed with authenticated logic
showProfile(sessionData.user);

Next Steps