npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@authspherejs/sdk

v1.1.5

Published

Secure OAuth2 SDK with PKCE for AuthSphere authentication

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

madhav9757madhav9757

Keywords

authoauthoauth2pkceauthenticationloginsdksecurity

Readme

🌐 AuthSphere Universal SDK

The high-performance, zero-trust TypeScript engine for secure identity orchestration.

npm version license bundle size

📖 Overview

The AuthSphere Universal SDK is a lightweight, zero-dependency TypeScript library designed to eliminate the complexity of implementing secure authentication. Written from the ground up for the modern web, it abstracts the intricacies of OpenID Connect (OIDC) and PKCE (Proof Key for Code Exchange) flows into a unified, high-level API.

Whether you are building a React SPA, a Next.js application, or a mobile-first web app, the AuthSphere SDK provides the cryptographic primitives and session management logic needed to establish verified user identity in milliseconds.

✨ Core Capabilities

🛡️ Automated OIDC + PKCE S256

The SDK is natively compliant with RFC 7636. It automatically handles the generation of high-entropy code_verifier strings and cryptographically secure code_challenge hashes (SHA-256), protecting your application against authorization code injection and Man-in-the-Middle (MITM) attacks.

🔌 Universal Provider Handshaking

A single, unified interface for initiating social identity redirects. One function call handles the state preservation and protocol negotiation for Google, GitHub, and Discord.

🔄 Stateless Session Management

The SDK manages the entire lifecycle of Access and Refresh tokens. It includes a built-in renewal engine that handles token rotation automatically before they expire, ensuring your users never face unexpected logout events.

🔐 Identity Challenge Engines

Complete support for local auth flows including Email/Password registration and OTP (One-Time Password) verification. The SDK preserves the original authentication context (sdk_request) across redirects, ensuring a seamless user experience.

🚀 Installation

Deploy the engine to your project via your preferred package manager:

# Using npm
npm install @authspherejs/sdk

# Using pnpm
pnpm add @authspherejs/sdk

# Using yarn
yarn add @authspherejs/sdk

🛠️ The 4-Step Handshake Lifecycle

1️⃣ Initialize the Global Handshake

Configure the AuthSphere singleton at the very root of your application (e.g., main.ts or App.jsx).

import AuthSphere from "@authspherejs/sdk";

AuthSphere.initAuth({
  publicKey: "YOUR_PROJECT_PUB_KEY", // Available in your Dashboard
  projectId: "YOUR_PROJECT_ID", // Available in your Dashboard
  redirectUri: window.location.origin + "/callback",
  baseUrl: "https://auth-sphere-6s2v.vercel.app",
});

2️⃣ Initiate Identity Handshake

Trigger a social login or local credentials flow.

// Social Login (Google, GitHub, Discord)
AuthSphere.redirectToLogin("google");

// Local Login with error handling for unverified users
const onLogin = async (credentials) => {
  try {
    const res = await AuthSphere.loginLocal(credentials);
    if (res?.redirect) window.location.href = res.redirect;
  } catch (err) {
    if (err instanceof AuthError && err.message.includes("not verified")) {
      // Redirect to OTP verification if email isn't verified yet
      navigate(
        `/verify-otp?email=${credentials.email}&sdk_request=${err.sdk_request}`,
      );
    }
  }
};

3️⃣ Resolve the Handshake

Inside your callback route (e.g., /callback), exchange the transient authorization code for a high-entropy session.

import { useEffect, useRef } from "react";
import { useNavigate, useSearchParams } from "react-router-dom";
import AuthSphere from "@authspherejs/sdk";

const Callback = () => {
  const navigate = useNavigate();
  const [params] = useSearchParams();
  const processed = useRef(false);

  useEffect(() => {
    if (processed.current) return;
    processed.current = true;

    // Handle verification requirement from social providers
    if (params.get("error") === "email_not_verified") {
      const email = params.get("email");
      const sdkReq = params.get("sdk_request");
      navigate(
        `/verify-otp?email=${email}${sdkReq ? `&sdk_request=${sdkReq}` : ""}`,
      );
      return;
    }

    AuthSphere.handleAuthCallback()
      .then(() => navigate("/dashboard"))
      .catch((err) => console.error("Handshake Failed:", err));
  }, [navigate, params]);

  return <div>Authenticating...</div>;
};

4️⃣ Identity Challenges (OTP & Registration)

For flows requiring Email/Password verification cycles.

// Registration
const onSignUp = async (data) => {
  await AuthSphere.register(data);
  navigate(`/verify-otp?email=${data.email}`);
};

// OTP Verification
const onVerify = async (otpValue) => {
  const res = await AuthSphere.verifyOTP({
    email,
    otp: otpValue,
    sdk_request: sdkReq,
  });

  if (res?.redirect) {
    window.location.href = res.redirect;
  } else {
    navigate(sdkReq ? "/dashboard" : "/login");
  }
};

📖 Comprehensive API Reference

initAuth(config: Config)

Configures the global identity client. Required once at app startup.

redirectToLogin(provider: Provider)

Performs a cryptographically protected redirect to the chosen provider.

handleAuthCallback()

The authoritative resolution function. Exchanges the OIDC code for a Session.

loginLocal(data: LoginData)

Authenticates using local credentials. Throws specific error codes for "Unverified" or "Suspended" users.

verifyOTP(data: OTPData)

Resolves a pending identity challenge using a 6-digit cryptographic code.

getUser()

Retrieves the active user profile (if any) from the secure persistence layer.

isAuthenticated()

A synchronous check of the current session state.

🛡️ Security Architecture & Compliance

The AuthSphere SDK is built to strictly adhere to the IETF Best Current Practices (BCP) for securing browser-resident applications.

  • PKCE Mandatory: Every redirect cycle generates a unique, high-entropy code_verifier.
  • State Integrity: Protects against Cross-Site Request Forgery (CSRF) via atomic state validation.
  • XSS Mitigation: Designed to minimize exposure of sensitive tokens and work seamlessly alongside strict Content Security Policies (CSP).

🔧 Technical Specifications

| Parameter | Type | Required | Description | | :------------ | :-------- | :------: | :------------------------------------------------------- | | publicKey | string | Yes | Your project's public key from the Command Center. | | projectId | string | Yes | Your project's unique ID from the Command Center. | | redirectUri | string | Yes | The URI your app redirects back to after authentication. | | baseUrl | string | No | Your API server URL (Default: Production). | | storage | Storage | No | Persistence layer (Default: localStorage). |

📄 License

Distributed under the MIT License. See LICENSE for more information.