@opengolfapi/sign-in
v3.0.0
Published
Sign in with OpenGolf — a drop-in OpenGolfID button (OIDC Authorization Code + PKCE). Identity for any golf app, in five minutes.
Maintainers
Readme
@opengolfapi/sign-in
Sign in with OpenGolf — a drop-in OpenGolfID button for any golf app. One portable, pseudonymous golfer identity across every app that builds on OpenGolf. Standard OIDC (Authorization Code + PKCE), no client secret, no backend required to start.
Signing in with OpenGolf is also how a developer becomes eligible for an API key — no OpenGolf ID, no key. This package is the fastest path to both.
npm i @opengolfapi/sign-in1. Add the button (React)
import { SignInWithOpenGolf } from "@opengolfapi/sign-in/react";
<SignInWithOpenGolf
clientId="my-app" // any stable string naming your app
redirectUri="https://my.app/callback" // an https route in your app
/>2. Handle the return (your /callback route)
import { useOpenGolfCallback } from "@opengolfapi/sign-in/react";
export default function Callback() {
const { result, error, loading } = useOpenGolfCallback({
clientId: "my-app",
redirectUri: "https://my.app/callback",
});
if (loading) return <p>Signing in…</p>;
if (error) return <p>Sign-in failed.</p>;
// result.sub → the user's OpenGolf ID (e.g. ogid_…)
// result.accessToken → send as `X-OpenGolf-Token` for keyed calls
return <p>Signed in as {result!.sub}</p>;
}No React? Framework-agnostic API
import { signIn, handleRedirectCallback, isRedirectCallback } from "@opengolfapi/sign-in";
// on a "sign in" click:
await signIn({ clientId: "my-app", redirectUri: "https://my.app/callback" });
// on your callback page:
if (isRedirectCallback()) {
const { sub, accessToken, idToken } = await handleRedirectCallback({
clientId: "my-app", redirectUri: "https://my.app/callback",
});
}Trust it server-side
The idToken is an RS256 OIDC token. Verify it on your backend before trusting the identity:
import { verifyOpenGolfToken } from "@opengolfapi/sign-in/verify";
const claims = await verifyOpenGolfToken(idToken); // throws if invalid/expired
// claims.sub === the user's OpenGolf IDRuns anywhere with Web Crypto — Node 18+, Bun, Deno, Cloudflare Workers, edge.
How it works
Pure OIDC against the live OpenGolf identity service:
signIn() ─▶ /oauth/authorize ─▶ user verifies by email OTP
◀─ redirect ?code ◀─
handleRedirectCallback() ─▶ /oauth/token ─▶ { id_token, access_token }- PKCE (S256) — no client secret; safe to run fully in the browser.
- Endpoints are discovered from
/.well-known/openid-configuration(default issuerhttps://api.opengolfapi.org; override withissuer). - Identity-only — the
id_tokenasserts who the user is, nothing more.
Scopes & the key flow
After sign-in, send accessToken as the X-OpenGolf-Token header to:
- mint a developer key —
POST /api/v1/developer/keys - call any keyed endpoint on your users' behalf
Links
- Docs & live API reference — https://opengolfapi.org/docs
- AI/agent guide — https://api.opengolfapi.org/llms.txt
- OpenAPI 3.1 — https://api.opengolfapi.org/openapi.json
OpenGolfAPI is a non-profit open commons for golf, founded by Chicago tech entrepreneur Julian Pretto. MIT-licensed. Questions: [email protected]
