ScalixScalix Docs
Sign up

App Authentication

Add user authentication to your application with the client SDK

Overview

Scalix Auth provides a complete auth-as-a-service solution. Add signup, login, and session management to any application with a few lines of code.

Setup

Install the auth SDK:

bash
npm install @scalix-world/auth

Initialize with your API URL:

typescript
import { ScalixAuthClient } from "@scalix-world/auth";
 
const auth = new ScalixAuthClient({
  url: "https://api.scalix.world",
});

User Management

Get Current User

typescript
const user = await auth.getUser();
if (user) {
  console.log(user.email);
}

Update Profile

typescript
await auth.updateUser({
  data: { name: "Alice Smith" },
});

Session Management

Sessions are available via the REST API:

bash
# List sessions
curl -H "Authorization: Bearer $ACCESS_TOKEN" \
  https://api.scalix.world/v1/auth/sessions
 
# Revoke a session
curl -X DELETE -H "Authorization: Bearer $ACCESS_TOKEN" \
  https://api.scalix.world/v1/auth/sessions/$SESSION_ID

Admin Endpoints

Manage users from your server:

bash
# List all users
curl -H "Authorization: Bearer $SERVICE_TOKEN" \
  https://api.scalix.world/v1/auth/admin/users
 
# Ban a user
curl -X POST -H "Authorization: Bearer $SERVICE_TOKEN" \
  https://api.scalix.world/v1/auth/admin/users/usr_abc123/ban
 
# Delete a user
curl -X DELETE -H "Authorization: Bearer $SERVICE_TOKEN" \
  https://api.scalix.world/v1/auth/admin/users/usr_abc123
 
# Get auth configuration
curl -H "Authorization: Bearer $SERVICE_TOKEN" \
  https://api.scalix.world/v1/auth/admin/config
 
# Update auth configuration
curl -X PUT -H "Authorization: Bearer $SERVICE_TOKEN" \
  https://api.scalix.world/v1/auth/admin/config \
  -d '{"require_email_verification": true}'

Session Management

Access tokens expire after 1 hour (the default; per-project configurable). The SDK handles refresh automatically:

typescript
auth.onAuthStateChange((event, session) => {
  if (event === "TOKEN_REFRESHED") {
    console.log("Token refreshed", session?.access_token);
  }
});

Protecting Routes

Server-side token validation:

Validate an end-user access token by calling the auth user endpoint with it as the bearer token — a 200 means the session is valid:

typescript
async function protectedEndpoint(req, res) {
  const token = req.headers.authorization?.split(" ")[1];
  const r = await fetch("https://api.scalix.world/v1/auth/user", {
    headers: { Authorization: `Bearer ${token}` },
  });
  if (!r.ok) return res.status(401).json({ error: "Unauthorized" });
 
  res.json({ user: await r.json() });
}