npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@konijima/identity-api

v1.0.0

Published

A fully typed, secure Node.js/TypeScript wrapper for the Identity Microservice API. Provides easy backend integration for authentication, session management, 2FA, and more by interacting with your real identity service.

Downloads

3

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

konijimakonijima

Keywords

identityauthenticationtypescriptclientapijwtmicroservice

Readme

identity-client

A TypeScript/Node.js wrapper for the Identity Microservice API. This package provides a fully typed, backend-focused client for securely integrating with your identity/auth microservice. It handles all request/response typing, error handling, and security best practices, making it easy to call the actual identity service from any Node.js backend (Express, Fastify, etc).

What is this project?

identity-client is a backend-only npm package that:

  • Wraps all endpoints of your identity microservice (login, registration, 2FA, session management, email change, etc)
  • Provides strict TypeScript types for all requests and responses
  • Handles token management, 2FA flows, and session tracking
  • Is not for frontend/browser use—never forward sensitive fields to the client!

API Endpoints (Methods)

Authentication

  • login({ email, password })
    • Authenticate a user. Returns access/refresh tokens, or a code indicating 2FA is required.
  • refresh({ refreshToken }, accessToken?)
    • Refresh the access token using a valid refresh token.
  • logoutSession({ sessionId })
    • Invalidate a specific session (device/browser).
  • listSessions()
    • List all active sessions for the current user, including device/IP metadata.

2FA (Two-Factor Authentication)

  • toggle2FA({ enable })
    • Start enabling or disabling 2FA for the current user.
  • confirmEnable2FA({ email, code })
    • Confirm enabling 2FA with a code sent to the user.
  • confirmLogin2FA({ email, code })
    • Complete login if 2FA is required (after initial login call).

User Info

  • me()
    • Get the current authenticated user's profile and status.

Email Change

  • requestEmailChange({ newEmail })
    • Request to change the user's email. Returns a token to send to the new address.
  • confirmEmailChange({ email, token })
    • Confirm the email change using the token sent to the new address.

Example Usage

Basic Setup

import { IdentityClient } from 'identity-client';

const client = new IdentityClient({
  baseUrl: 'http://localhost:3001/api',
  getAuthToken: () => myAccessToken, // Optional: for auto-injecting Authorization
});

Login and 2FA

const loginRes = await client.login({ email: '[email protected]', password: 'StrongP@ssw0rd!' });
if (loginRes.code === 'LOGIN_2FA_REQUIRED') {
  // Prompt user for 2FA code, then:
  const confirmRes = await client.confirmLogin2FA({
    email: '[email protected]',
    code: userInput2FACode,
  });
  // confirmRes contains tokens if successful
}
if (loginRes.token) {
  // Save loginRes.token and loginRes.refreshToken securely (never send to frontend)
}

Get Current User

const me = await client.me();
console.log(me.email);

Session Management

const sessions = await client.listSessions();
await client.logoutSession({ sessionId: sessions.sessions[0].sessionId });

Email Change Flow

const reqRes = await client.requestEmailChange({ newEmail: '[email protected]' });
// Send reqRes.emailChangeToken to the new email address (never expose to frontend)
const confirmRes = await client.confirmEmailChange({
  email: '[email protected]',
  token: reqRes.emailChangeToken!,
});

2FA Enable/Disable

const enableRes = await client.toggle2FA({ enable: true });
await client.confirmEnable2FA({ email: '[email protected]', code: enableRes.twoFACode! });
await client.toggle2FA({ enable: false });

Token Refresh

const refreshRes = await client.refresh({ refreshToken: myRefreshToken }, myAccessToken);

Express Server Example

import express from 'express';
import { IdentityClient } from 'identity-client';

const identityClient = new IdentityClient({
  baseUrl: 'http://localhost:3001/api',
});

const app = express();
app.use(express.json());

// Login route (proxy to identity microservice)
app.post('/api/login', async (req, res) => {
  const { email, password } = req.body;
  const result = await identityClient.login({ email, password });
  // Only forward safe fields to frontend! Never expose refresh tokens, 2FA secrets, or internal metadata.
  res.json({
    token: result.token, // If you use JWTs in frontend
    code: result.code,
    // ...other non-sensitive fields as needed
  });
});

// Authenticated route using access token from client
app.get('/api/me', async (req, res) => {
  const accessToken = req.headers['authorization']?.replace('Bearer ', '');
  const client = new IdentityClient({
    baseUrl: 'http://localhost:3001/api',
    getAuthToken: () => accessToken,
  });
  const me = await client.me();
  res.json(me);
});

// Token refresh
app.post('/api/refresh', async (req, res) => {
  const accessToken = req.headers['authorization']?.replace('Bearer ', '');
  const { refreshToken } = req.body;
  const client = new IdentityClient({
    baseUrl: 'http://localhost:3001/api',
    getAuthToken: () => accessToken,
  });
  const result = await client.refresh({ refreshToken }, accessToken);
  res.json(result);
});

// Email change flow
app.post('/api/request-email-change', async (req, res) => {
  const accessToken = req.headers['authorization']?.replace('Bearer ', '');
  const { newEmail } = req.body;
  const client = new IdentityClient({
    baseUrl: 'http://localhost:3001/api',
    getAuthToken: () => accessToken,
  });
  const result = await client.requestEmailChange({ newEmail });
  // Send result.emailChangeToken to the new email address (never expose to frontend)
  res.json({ status: 'ok' });
});

// ...other routes for 2FA, session management, etc.

app.listen(4000, () => {
  console.log('Backend API running on port 4000');
});

Security & Usage Notes

Authentication

  • Never expose access or refresh tokens to the frontend. Use HTTP-only cookies or secure server-side storage.
  • Always validate credentials server-side. Do not proxy login directly to the frontend.

2FA (Two-Factor Authentication)

  • 2FA codes (twoFACode/setupCode) are sensitive and must never be sent to or stored in the frontend.
  • Only backend systems should handle 2FA confirmation and enable/disable flows.
  • Always require both email and twoFACode for confirmation endpoints.

Session Management

  • Session and device/IP metadata are for backend auditing and security. Never expose session tokens or metadata to the frontend.
  • Use listSessions and logoutSession only in trusted backend contexts.

Email Address Change

  • Email change tokens must only be sent to the new email address, never to the user’s browser or frontend.
  • Always confirm email changes server-to-server.

User Info

  • The me() endpoint returns the current authenticated user's info. Only expose non-sensitive fields to the frontend.
  • Never expose internal user IDs or metadata unless required and safe.

Token Refresh

  • Refresh tokens are highly sensitive. Never send them to the frontend or store them in local/session storage.
  • Always use secure, backend-only flows for token refresh.

Build

npm install
npm run build

Publish

Only the dist/ directory will be published to npm.