auth-client overview
@rw3iss/auth-client is the browser SDK. Vanilla TypeScript core
with first-class adapters for React, Preact, SolidJS, Vue, and Astro.
Hexagonal architecture — every external dependency is an injectable
port with a browser-native default.
| Source | rw3iss/auth-client |
| Live demo | demo.auth.ryanweiss.net |
| Companion | auth-shared (types) |
Highlights
- Same API everywhere. Every adapter exposes
useAuth,useLogin,useStartSso, … — switching frameworks is a one-line import change. - Three bootstrap modes.
auto(default): proactively validates the cached session against/auth/meat boot. UIs gate their first render onready().lazy: trusts cached claims, defers validation until the first failed request.offline: inert mode. Flow methods throwOfflineModeError.
- Auto-retry on 401.
authenticatedRequest()refreshes under a mutex and retries once. Refresh failure clears state + emitssession_expired. - Cross-tab session sync. BroadcastChannel keeps every tab consistent.
- Refresh-mutex coalescing. A burst of N concurrent requests just-before-expiry triggers ONE refresh, not N.
- Pluggable everything. Token store, transport, storage, clock, crypto, logger, broadcast — each is a port.
- Full server feature parity. Password + SSO/PKCE, TOTP 2FA, refresh-rotation, dual-secret rotation, impersonation, hard-delete, per-user token-version, org / app context switching.
The 80% usage
import { createAuthClient } from '@rw3iss/auth-client';
const auth = createAuthClient({ apiBaseUrl: 'https://auth.ryanweiss.net/api/v1', appCode: 'marketplace-buyer',});
await auth.ready();if (auth.isAuthenticated()) { console.log('signed in as', auth.getCurrentUser());} else { await auth.loginWithPassword({ email, password });}
auth.on('logged_out', () => router.push('/login'));See Quickstart for the full pattern.
The module API
The SDK surface is organized into namespaced modules — stateless method groups over the one client core, which owns all auth context, token storage and refresh:
| Module | Purpose |
|---|---|
client.auth | login (password / SSO / magic link), register, logout(-all), refresh, switchOrg, whoami, identity getters |
client.account | own password, email verification, 2FA, memberships, invitations, delete-my-account |
client.sessions | own device sessions |
client.users | admin user administration (roles, sessions, impersonate, hard delete) |
client.organizations | org CRUD, members, custom roles, invitations |
client.apps | application registry (pools, policy, webhooks) + user access grants |
client.services | m2m machine-credential registry |
client.pools | user pools (namespaces) |
client.audit | audit log |
await auth.organizations.addMember(orgId, userId);await auth.apps.update(appId, { webhooks: [...] });const pools = await auth.pools.list();Since v0.3.0 the modules OWN the endpoint implementations — the
old flat endpoint methods (auth.listApps(), …) are removed from
AuthClient, which keeps only the session engine (lifecycle/state +
session-mutating operations like loginWithPassword, logoutAll,
switchOrg). Framework hooks are unaffected. Each module class is
documented on its own page in the
reference (AuthModule, UsersModule, …).
Adapters
| Framework | Subpath | Surface |
|---|---|---|
| React | @rw3iss/auth-client/react | useAuth, useLogin, useLogout, useVerifyEmail, useRequestMagicLink, useAdminListUserSessions, … |
| Preact | @rw3iss/auth-client/preact | Same surface as React. Used by auth-client-demo. |
| Solid | @rw3iss/auth-client/solid | Solid stores — same surface. |
| Vue | @rw3iss/auth-client/vue | Vue composables — same surface. |
| Astro | @rw3iss/auth-client/astro | Astro helpers + middleware. |
UI components
| Subpath | What’s inside |
|---|---|
@rw3iss/auth-client/preact/ui/atoms | 13 headless primitives — AuthStatusBadge, UserAvatar, UserMenu, LogoutButton, SsoButton, ProtectedRoute, GuestOnly, RoleGate, PermissionGate, TokenExpiryCountdown, AuthLoading. |
@rw3iss/auth-client/preact/ui/forms | 25 composed forms — LoginForm, RegisterForm, PasswordResetRequestForm, TwoFactorEnrollment, SessionsList, MagicLinkRequestForm, DeleteAccountForm, AuditLogTable, UsersTable, AdminUserEditPanel, OrgRoleEditor, … |
@rw3iss/auth-client/preact/ui/flows | 7 end-to-end multi-step flows — CompleteLoginFlow, CompleteSignupFlow, CompletePasswordResetFlow, CompleteSsoCallbackFlow, CompleteAccountSecurityFlow, CompleteImpersonationFlow, CompleteOrgAdminFlow. |
See the live catalog at demo.auth.ryanweiss.net.
Related pages
- How it works — session manager, port abstraction, refresh-rotation.
- Quickstart — install + 30-line setup.
- Framework adapters — per-framework usage pages.
- Class reference — auto-generated TypeDoc.
- Playground — the live demo.