Installation

The @yorauth/js-sdk package supports any JavaScript or TypeScript project. It ships with full TypeScript type definitions and has no mandatory peer dependencies.

The JavaScript SDK is currently in development. This documentation describes the intended API. The package is not yet published to npm.

Requirements

Node.js 18+ (or compatible server-side JavaScript runtime: Deno, Bun, Cloudflare Workers)
TypeScript 4.7+ (optional but recommended)

For client-side browser usage, see the framework-specific SDKs: @yorauth/react-sdk (Next.js) or @yorauth/vue-sdk (Nuxt).

API keys are server-side credentials. Never include your YorAuth API key in client-side JavaScript, browser bundles, mobile apps, or any publicly accessible code. Exposed API keys grant full access to your application's user data, roles, permissions, and configuration.

Server-Side vs. Client-Side Authentication

Credential	Environment	Use Case
API key	Server only (Node.js, PHP, serverless)	Server-to-server API calls, backend integrations
JWT access token	Client or server	Authenticated API calls after user login
OIDC client secret	Server only	OIDC token exchange in confidential clients

What Happens If an API Key Is Exposed

If your API key appears in client-side code:

Any visitor to your site can extract it from the browser's developer tools or the JavaScript bundle
The attacker can use the key to read, modify, or delete your application's users, roles, permissions, webhooks, and audit logs
YorAuth cannot distinguish between legitimate server-side requests and requests using a stolen key

If You Suspect Key Exposure

Immediately rotate the key in the YorAuth Dashboard under API Keys
Review your audit logs for unauthorized activity
If unauthorized access to user data occurred, follow your incident response plan and applicable breach notification requirements
Contact security@yorauth.com

Runtime Protection

The SDK detects browser environments and throws an error if an API key is provided in client-side code. This prevents accidental credential exposure in production builds.

If you encounter this error in a legitimate server-side context (such as during SSR hydration), ensure your API key initialization only runs on the server. In Next.js, use Server Components or API routes. In Nuxt, use server middleware or server plugins.

Package Managers

bash

npm install @yorauth/js-sdk

bash

yarn add @yorauth/js-sdk

bash

pnpm add @yorauth/js-sdk

Initialization

Create a single YorAuth instance and export it from a shared module. Do not create multiple instances for the same application.

typescript

// lib/yorauth.ts
import { YorAuth } from '@yorauth/js-sdk';

export const yorauth = new YorAuth({
  applicationId: 'your-application-id',
  baseUrl: process.env.YORAUTH_BASE_URL!,
  apiKey: 'your-api-key',
});

Retrieve your application ID and API key from the YorAuth Dashboard. Store them in environment variables — never commit keys to source control.

bash

# .env
YORAUTH_APPLICATION_ID=your-application-id
YORAUTH_BASE_URL=https://your-yorauth-instance.example.com
YORAUTH_API_KEY=your-api-key

typescript

// lib/yorauth.ts
import { YorAuth } from '@yorauth/js-sdk';

export const yorauth = new YorAuth({
  applicationId: process.env.YORAUTH_APPLICATION_ID!,
  baseUrl: process.env.YORAUTH_BASE_URL!,
  apiKey: process.env.YORAUTH_API_KEY!,
});

Configuration Options

The YorAuth constructor accepts the following options:

Option	Type	Default	Description
`applicationId`	`string`	required	Your YorAuth application UUID
`baseUrl`	`string`	required	API base URL (e.g. `process.env.YORAUTH_BASE_URL`)
`token`	`string`	`undefined`	JWT Bearer token
`apiKey`	`string`	`undefined`	SERVER-SIDE ONLY. API key for server-to-server auth. Never expose in client-side code.
`refreshToken`	`string`	`undefined`	Refresh token for automatic token refresh on 401
`timeout`	`number`	`30000`	Request timeout in milliseconds

Example with All Options

typescript

import { YorAuth } from '@yorauth/js-sdk';

const yorauth = new YorAuth({
  applicationId: 'your-application-id',
  baseUrl: process.env.YORAUTH_BASE_URL!,
  apiKey: 'your-api-key',
  token: 'eyJhbGciOiJSUzI1NiI...',       // optional — JWT Bearer token
  refreshToken: 'refresh-token-value',     // optional — enables auto-refresh on 401
  timeout: 15000,
});

TypeScript Support

The SDK ships with full TypeScript definitions. No @types package is needed. All method parameters and return types are typed.

typescript

import { YorAuth, YorAuthError } from '@yorauth/js-sdk';
import type { AuthResponse, AppUser } from '@yorauth/js-sdk';

const yorauth = new YorAuth({
  applicationId: 'your-application-id',
  baseUrl: process.env.YORAUTH_BASE_URL!,
});

// Full type inference on responses
const response = await yorauth.auth.login({
  email: 'user@example.com',
  password: 'secret',
});

Framework Integration

React / Next.js

Install the React SDK (separate package):

bash

npm install @yorauth/react-sdk @yorauth/js-sdk

tsx

// app/providers.tsx
'use client';
import { YorAuthProvider } from '@yorauth/react-sdk';
import '@yorauth/react-sdk/styles.css';

export function Providers({ children }: { children: React.ReactNode }) {
  return (
    <YorAuthProvider
      applicationId="your-app-id"
      baseUrl={process.env.NEXT_PUBLIC_YORAUTH_BASE_URL!}
    >
      {children}
    </YorAuthProvider>
  );
}

tsx

// In a component
import { useAuth, useUser } from '@yorauth/react-sdk';

export function ProfileButton() {
  const { logout } = useAuth();
  const { user } = useUser('user-uuid');

  if (!user) return <a href="/login">Sign in</a>;

  return (
    <button onClick={() => logout()}>
      Sign out ({user.email})
    </button>
  );
}

Vue 3 / Nuxt

Install the Vue SDK (separate package):

bash

npm install @yorauth/vue-sdk @yorauth/js-sdk

typescript

// plugins/yorauth.ts
import { YorAuthPlugin } from '@yorauth/vue-sdk';
import '@yorauth/vue-sdk/styles.css';

export default defineNuxtPlugin((nuxtApp) => {
  nuxtApp.vueApp.use(YorAuthPlugin, {
    applicationId: 'your-application-id',
    baseUrl: import.meta.env.VITE_YORAUTH_BASE_URL,
  });
});

html

<!-- In a component -->
<script setup lang="ts">
import { useAuth } from '@yorauth/vue-sdk';
const { user, isAuthenticated, logout } = useAuth();
</script>

<template>
  <button v-if="isAuthenticated" @click="logout()">Sign out</button>
  <a v-else href="/login">Sign in</a>
</template>

Next Steps

Authentication — Register users, log in, handle MFA
Authorization — Check permissions, manage roles