npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@auvexis/accounts

v0.1.13

Published

Runtime-agnostic OAuth/OIDC client for Auvexis Accounts.

Readme

@auvexis/accounts

Runtime-agnostic OAuth 2.0/OpenID Connect client for Auvexis Accounts.

Install

npm install @auvexis/accounts

Node.js 20 or newer is required. The SDK is ESM-only and uses standard fetch, URL, and Web Crypto APIs.

Connect an account

import { createAuvexisAccountsClient } from "@auvexis/accounts";

const accounts = createAuvexisAccountsClient({
  clientId: process.env.AUVEXIS_CLIENT_ID!,
  redirectUri: "http://127.0.0.1:23801/oauth/callback",
});

const transaction = await accounts.createAuthorization({
  productSubject: {
    type: "local_profile",
    id: fabricProfileId,
  },
});
// Open transaction.authorizationUrl in the system browser.
// Keep the transaction only in trusted backend memory with a short lifetime.

const tokens = await accounts.exchangeCode({
  callbackUrl,
  transaction,
});
const profile = await accounts.getProfile(tokens.accessToken);

The host application owns browser launching, the loopback callback, transaction lifetime, encrypted token storage, and account-to-local-profile mapping. Tokens must never be returned to an untrusted frontend.

productSubject is optional. Use it when a product links the Auvexis account to a local profile, device, or installation. Accounts receives it as auv_subject_type and auv_subject_id and can enforce product authorization policies such as replacing the previous active local profile for that product.

Refresh and revoke

const rotated = await accounts.refresh(tokens.refreshToken!);
await accounts.revoke(rotated.refreshToken!);

Persist the new refresh token after every successful rotation. Revocation removes remote authorization; deleting local tokens without calling revoke is a local logout.

Account resources

Use the protected account helpers from trusted product backends only. They require the user's Auvexis access token.

const account = await accounts.getAccount(tokens.accessToken);

await accounts.updateAccount(tokens.accessToken, {
  handle: "andredev",
});

const publicProfile = await accounts.getPublicProfile("andredev");

getAccount returns private account data for the current user. getPublicProfile returns only public display data by handle.

Product campaign events

Products can emit trusted events to Accounts so campaigns and badges are processed by the backend, not by local editable state.

await accounts.emitProductEvent(tokens.accessToken, {
  eventId: `fabric.workflow.published:${workflowId}:${account.id}`,
  type: "fabric.workflow.published",
  userId: account.id,
  occurredAt: new Date(),
  evidence: { workflowId },
});

Do not send productId or badge information. Accounts derives the product and account from the OAuth token and validates campaign eligibility server-side.

Products can also ask Accounts for current campaign status before emitting an event. This is an optimization for UX; Accounts still validates the event server-side.

const campaigns = await accounts.getProductCampaignStatuses(
  tokens.accessToken,
  "fabric.workflow.published",
);

const canSkip = campaigns.some(
  (campaign) => campaign.claimed || campaign.capacityReached,
);

Development Accounts server

Production defaults to https://accounts.auvexis.com. Override it explicitly for local development:

const accounts = createAuvexisAccountsClient({
  baseUrl: "http://127.0.0.1:8787",
  clientId: "local-client-id",
  redirectUri: "http://127.0.0.1:23801/oauth/callback",
});

OAuth endpoints are always resolved through Accounts discovery metadata.

Errors

AuvexisAccountsError.code is one of:

  • reauth_required: the authorization or refresh token is no longer valid.
  • unavailable: Accounts could not be reached or returned a server failure.
  • invalid_response: Accounts returned malformed data.
  • invalid_request: SDK input is invalid before contacting Accounts.
  • oauth_error: Accounts rejected an OAuth or protected-resource request.

Error messages and JSON serialization never include authorization codes or token values.

Badge trust

Profiles and badges returned by the SDK are verified responses from Accounts at request time. A persisted profile snapshot is display-only. Products must validate Accounts online in their backend before mapping badges to capabilities.

License

MIT