npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@agenticprimitives/fedcm-rp

v1.0.0-alpha.6

Published

Relying-party FedCM wrapper: navigator.credentials.get({identity}) → IdP token. The FedCM strategy injected into browser-identity's chooseSignIn. FedCM-first, not FedCM-only (ADR-0031).

Downloads

144

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

richcanvasrichcanvas

Keywords

fedcmrelying-partyfederationsign-inagentic

Readme

@agenticprimitives/fedcm-rp

Browser-native sign-in for the relying party — that hands back identity, never authority.

When the browser supports FedCM, a relying site can skip the redirect dance entirely: the browser shows a native account chooser and returns a signed assertion. fedcm-rp is the thin, dependency-free wrapper over navigator.credentials.get({ identity }) that makes that call correctly — including the post-Chrome-145 field shapes that broke naive integrations — and returns the IdP token. It is the FedCM strategy you inject into @agenticprimitives/browser-identity's chooseSignIn — FedCM-first, not FedCM-only (ADR-0031; spec 264).

The returned token is a thin identity bootstrap: it says who signed in, nothing more. The deep capability/delegation object — scoped, revocable, on-chain-enforceable authority — is obtained from the substrate after this token (ADR-0031), never decoded from a FedCM scope. Sign-in and authorization stay separate layers, which is exactly where stitched stacks leak.

Part of agenticprimitives — the trust substrate for the agent economy: one canonical Smart Agent identity with custody, delegation, naming, credentials, and audit evidence designed as one system.

Install

npm install @agenticprimitives/fedcm-rp

Usage (as the injected FedCM strategy)

import { chooseSignIn } from '@agenticprimitives/browser-identity';
import { fedcmSupported, fedcmGet } from '@agenticprimitives/fedcm-rp';

const result = await chooseSignIn({
  // Run FedCM when the browser supports it; otherwise the guaranteed spec-259 fallback.
  fedcm: fedcmSupported()
    ? async () => {
        const { token } = await fedcmGet({
          providers: [{
            configURL: 'https://www.example/fedcm/config.json',
            clientId: 'demo-gs',
            // post-145: nonce + custom params ride INSIDE params
            params: { nonce, scope: 'profile.read', intent: 'signin' },
          }],
        });
        return exchangeAssertionForSession(token); // → your app session + substrate delegation
      }
    : undefined,
  fallback: () => startConnectPopup(),
});

fedcmGet(options)

providers[] (1+; Chrome 136 multi-IdP), context (signin|signup|use|continue), mode (passive|activeactive requires a single provider + a user gesture), mediation (optional|required|silent), signal. Returns { token, configURL?, isAutoSelected? }. Throws if unsupported / dismissed / errored — treat a throw as "use the fallback."

How it's different from calling FedCM directly

You could call navigator.credentials.get({ identity }) yourself. Three reasons this wrapper earns its place:

  • It tracks the moving contract. FedCM's request shape changed across Chrome 143→145 (nonce and custom params moved inside params); this package encodes the current shape so your app code does not chase browser releases.
  • It is failure-honest. A throw means "use the fallback" — composing cleanly with browser-identity's selector instead of leaving every caller to invent its own unsupported/dismissed/error handling.
  • It refuses to be an authorization channel. No token decoding, no scope interpretation, no substrate imports. The consumer exchanges the token with the substrate; permissions can never ride in on a browser credential.

The IdP half lives in fedcm-idp; the FedCM-vs-fallback selection in browser-identity.

Boundaries

Generic + transport-agnostic (ADR-0021): no app imports, no hostnames. The consumer supplies configURL / clientId / params, and exchanges the token with the substrate.

Status — draft, and labeled as such

This package is a draft (spec 264 Phase 1, private: true). FedCM is Chromium-only today, and the field names changed across Chrome 143→145 (params.nonce, .error). Verify against a live Chrome before relying on this in production (spec 264 Phase 1b).

Beyond that caveat: testnet/pilot-ready. Production launch is gated on the public checklist in the root README — including third-party contract audit and governance key rotation. Track every security finding live in docs/audits/findings.yaml.

Validate

pnpm --filter @agenticprimitives/fedcm-rp build
pnpm --filter @agenticprimitives/fedcm-rp test

License

MIT