Ship secure auth fast, without giving up control.

Production docs for Auth Platform and auth-platform-sdk v3.2.0. OAuth 2.0 + PKCE, HttpOnly token handling, session revocation streams, and multi-tenant admin controls.

Start Integration Open API Spec
OAuth 2.0 + PKCE Confidential/Public Clients HttpOnly Cookies SSE Session Revocation
Quickstart SDK Reference Proxy Endpoints Security Model Ops Features

Get Running

Auth Platform Setup (Clean Next.js App Router)

1

Install SDK

cd test1
npm install auth-platform-sdk
2

Add Environment Variables

# .env.local
NEXT_PUBLIC_AUTH_SERVER=__AUTH_SERVER__
NEXT_PUBLIC_CLIENT_ID=your-client-id
NEXT_PUBLIC_REDIRECT_URI=http://localhost:3000/callback
NEXT_PUBLIC_AUTH_PROXY_PATH=/api/auth

# server-only
AUTH_CLIENT_SECRET=your-client-secret
AUTH_CLIENT_TYPE=confidential
3

Create Auth Proxy Route (Required Path)

Create exactly app/api/auth/[...path]/route.ts. Do not use app/api/route.ts for this.

import { createAuthProxy } from 'auth-platform-sdk/server';
import type { NextRequest } from 'next/server';

export const runtime = 'nodejs';
export const dynamic = 'force-dynamic';

const proxy = createAuthProxy();
type Ctx = { params: Promise<{ path?: string[] }> };

async function handler(req: NextRequest, ctx: Ctx): Promise<Response> {
  return proxy(req, ctx);
}

export const GET = handler;
export const POST = handler;
4

Wrap App with AuthProvider

Keep the provider inside the <body> element.

// app/layout.tsx
import { AuthProvider } from 'auth-platform-sdk/client';

export default function RootLayout({ children }: { children: React.ReactNode }) {
  return (
    <html>
      <body>
        <AuthProvider>{children}</AuthProvider>
      </body>
    </html>
  );
}
5

Create Callback Page (Required)

'use client';

import { useEffect } from 'react';
import { useRouter } from 'next/navigation';
import { useAuth } from 'auth-platform-sdk/client';

export default function CallbackPage() {
  const router = useRouter();
  const { authClient } = useAuth();

  useEffect(() => {
    (async () => {
      await authClient?.handleCallback();
      router.replace('/');
    })();
  }, [authClient, router]);

  return <p>Signing you in...</p>;
}
6

Use Auth in Client Page

In app/page.tsx:

  • Add 'use client'.
  • Use useAuth().
  • Login button: onClick={() => login()}.
  • Render user?.email for signed-in state.
7

Run and Verify

npm run dev

Flow to verify:

  • Click Login
  • Complete auth
  • Redirects to /callback
  • Callback handles code exchange
  • Returns to / as authenticated user

SDK Surface

Client + Server Reference

auth-platform-sdk/client

Browser + React integration for OAuth flow and authenticated session state.

  • AuthProvider, useAuth(), AuthClient
  • login({ prompt, loginHint }) to control OAuth prompt behavior
  • onAuthChange((isAuth, reason) => ...) for revocation/expiry handling
  • restoreSession(), refreshAccessToken(), startAutoRefresh()

auth-platform-sdk/server

BFF proxy that keeps secrets/tokens out of browser JavaScript.

createAuthProxy({
  authServerUrl: process.env.AUTH_SERVER_URL,
  clientSecret: process.env.AUTH_CLIENT_SECRET,
  clientType: 'confidential' // or 'public'
});

Use `public` only when your OAuth client is intentionally configured as public (PKCE-only).

Proxy Contract

Allowed Proxy Endpoints

MethodPathPurpose
POST/oauth/tokenCode exchange, server injects `client_secret` for confidential clients
GET/oauth/logoutEnds upstream auth session + local cookie cleanup
POST/token/refreshRefresh from HttpOnly cookie
POST/token/verifyValidates access token, returns payload for UI session state
POST/token/revokeRevokes session and clears local cookies
POST/token/session-checkLightweight session status check
GET/token/session-streamSSE stream for force-logout revocation events

Security Model

How Tokens Stay Protected

Browser

  • Generates PKCE verifier/challenge + state
  • Never stores client secret
  • Never reads access/refresh tokens directly

Server Proxy

  • Injects client secret only on server-side
  • Stores tokens as HttpOnly cookies
  • Scrubs token fields from response bodies

Auth Platform

  • Issues RS256 JWT access + refresh tokens
  • Supports live session revocation signaling
  • Applies tenant and app isolation rules
Browser (PKCE + state) -> /api/auth/* proxy (secret + HttpOnly cookies) -> Auth Platform
Auth Platform -> proxy verifies/refreshes session -> browser receives auth status only

Operations

Admin and Runtime Features

Identity Controls

OAuth SSO toggle per app, OTP flows, passkeys, admin MFA, and redirect URI policy.

Session Control

Real-time force logout, refresh token rotation, and active session visibility.

Auditability

Login history, OAuth consent activity, and admin activity events for security reviews.

Open Dashboard Open OpenAPI UI View Architecture Diagram