npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@seamless-auth/core

v0.1.1

Published

Framework-agnostic core authentication logic for SeamlessAuth

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

bcb_1000bcb_1000

Keywords

Readme

@seamless-auth/core

npm version license

Seamless Auth – Core

@seamless-auth/core contains the framework-agnostic authentication logic that powers the Seamless Auth ecosystem.

It is designed to be:

  • deterministic
  • auditable
  • testable
  • independent of any web framework

If you are building a custom adapter (Express, Fastify, Next.js, Hono, etc.), this is the package you integrate with.

What This Package Is

  • Core authentication state machine
  • Cookie validation and refresh logic
  • Service-token–based API ↔ Auth Server communication
  • Stateless, cryptographically verifiable flows

This package does not:

  • depend on Express or any framework
  • read environment variables
  • set cookies or headers directly
  • manage HTTP requests or responses

Who Should Use This

You should use @seamless-auth/core if:

  • You are building a backend adapter
  • You want full control over your HTTP layer
  • You are integrating Seamless Auth into a non-Express runtime
  • You want to audit or extend authentication behavior

If you are using Express, you probably want:

@seamless-auth/express

Design Principles

  • Explicit trust boundaries
    Browser cookies are never forwarded upstream.

  • Stateless by default
    All session data is encoded and signed.

  • Short-lived assertions
    Service tokens are minimal and ephemeral.

  • No hidden magic
    All inputs are explicit.

Core Concepts

Identity States

  • Unauthenticated
  • Pre-authenticated (OTP / WebAuthn in progress)
  • Authenticated (access cookie issued)

Core helpers enforce transitions between these states.

Public API (Overview)

Key exports include:

  • ensureCookies(...) – validates and refreshes session cookies
  • refreshAccessToken(...) – rotates expired access sessions
  • verifyCookieJwt(...) – verifies signed cookie payloads
  • createServiceToken(...) – creates short-lived M2M assertions

These functions return descriptive results, not HTTP responses.

Example (Adapter Pseudocode)

const result = await ensureCookies(
  { path, cookies },
  {
    authServerUrl,
    cookieSecret,
    serviceSecret,
    issuer,
    audience,
    keyId,
    accessCookieName,
    refreshCookieName,
    preAuthCookieName,
  },
);

if (result.setCookies) {
  // adapter applies cookies
}

if (result.type === "error") {
  // adapter sends HTTP error
}

Testing

All logic in this package is tested against compiled output (dist/), ensuring behavior matches production runtime exactly.

License

AGPL-3.0-only © 2026 Fells Code LLC

This license ensures:

  • transparency of security-critical code
  • freedom to self-host and modify
  • sustainability of the managed service offering

See LICENSE for details.