1 of 100

Authgear

Get Started

5-Minute Guide

A quick guide on getting started with Authgear

Authgear makes it easy to add user authentication and authorization to any application. In this guide, we'll show you how to get started with Authgear in 5 minutes.

Video Guide

1. Create Authgear account

To start using Authgear in your application, create a free Authgear account on .

After you sign up, you'll see the onboarding screen that will guide you through the process of creating your first Authgear project.

2. Authgear Projects

An Authgear project is similar to a container that holds all your users, settings, and client applications. You need an Authgear project before you can start signing users up.

You can create multiple projects under one account based on your needs. When you create multiple projects, each project is isolated from the others. For example, you can create Project 1 for your e-commerce business and Project 2 for a fitness club you organize. Project 1 and Project 2 will not share the same users or settings.

To create an additional project, log in to your Authgear account then click on the "Create Project" button.

Now that you have created a project in Authgear, you're ready to integrate Authgear into your applications for your customers/users to sign up and log in. See our documentation for adding Authgear to your application or website for your favourite framework and programming language.

Before any integration, you can try out the signup flow for your project from the "Getting Started" page.

You should be greeted with the AuthUI Login/Sign-up page. Use the form to create a new user account under your project.

The flow for sign-up and login will differ based on the login method you enable for your Authgear project. For example, users can sign up using their phone number and password if you enable the Mobile login method.

4. User Settings Page

After logging in from the previous step, you can check out the Pre-Built User Settings Page. This page is the default page where users of your project can edit their profile and manage security settings.

Click on the Edit Profile to edit and view profile attributes such as first name, last name, photo, etc.

Users can manage the identities (email address, phone number, or social media account) linked to their account under the My Account section of the User Settings page.

The Security section of the User Settings page has the following options:

Password: users can change their password from here.
2-step verification: users can click on this option to view and manage 2-step authenticators for their account. The option is only available when you enable 2FA for your project in Authgear Portal > Authentication > 2FA.
Signed-in device: from this page, the user can view browsers and devices that their account is currently signed in on.

You can learn more about the User Settings page .

5. Integrate Authgear with Your Application or Website

To get more from Authgear and use Authgear to add user authentication to your web or mobile application, you should integrate Authgear to your application or website.

Authgear has official SDKs for integrating Authgear with React, React Native, ionic, Native Android, iOS, and Flutter applications. See the section of Authgear documentation for detailed instructions for each SDK and using other frameworks without the official SDK.

6. View and Manage Your Users

Authgear offers multiple options for viewing and managing all users who sign up for your project. These options include:

Authgear Portal

The quickest way to manage your users is from the Authgear Portal. To open the user management page in the Authgear Portal, click on the User Management link in the navigation bar on the left side.

Click on Users to view a list of all the users in your project. Click on a user from the list to view their complete profile and perform administrative operations like modify profile details, suspend/unsuspend user, delete account, etc.

You can also add new users to your project from the User Management page. To do that, click on the Create User button on the right.

7. Continue Exploring Authgear

Continue to navigate around the Authgear Portal to see all the features and settings available for your project.

You can also check out any of the following guides to learn more about Authgear:

login and sign-up page to match your branding needs using the Design tool
guides on how to .
how to .

Start Building

Choose the integration approach based on application type

Integration Approaches

There are 3 different high-level approaches to integrating Authgear with your applications:

Mobile apps or single-page web applications: The frontend clients integrate with Authgear's SDKs, which handle full login flow and session management. It's important to validate the session in your backend server.

Single-Page App

You need to protect a JavaScript SPA application that runs entirely in a browser

Native/Mobile App

If you are developing mobile or desktop applications, choose from one of these SDKs for your platform to get started.

Using Authgear without SDK (Client side)

Integrate Authgear on the client side in mobile apps without SDK

Authgear is built based on OIDC 2.0 standard, you can integrate it into any application framework without SDK.

Supported grant types

Authorization Code Flow with Proof Key for Code Exchange (PKCE)

For public clients like mobile apps and SPAs, PKCE flow should be used. It uses code_challenge_method & code_challenge

Regular Web App

Traditional web app that runs on the server

If your application is a traditional web app running on a server, for example, Java EE, Express, PHP, GO, Laravel, or ASP.NET Core MVC, you can leverage the OpenID Connect (OIDC) protocol to authenticate users via Authgear. A wide range of plug-and-play libraries can be found that simplify the integration process. These libraries handle crucial tasks such as authentication requests, session management, and redirecting users back to your application seamlessly.

Express Next.js Python Flask App Java Spring Boot ASP.NET Core MVC Laravel PHP

Backend/API Integration

An API or service protected by Authgear

If your API or backend service needs authentication, you can validate the session in your application server code. Each request from the client to your application server should contain an access token or a cookie. Your backend server should validate them for each HTTP request.

There are different approaches to verify the requests based on whether you validate JWT (JSON Web Tokens) in your server, or forward authentication to Authgear Resolver Endpoint.

Validate JSON Web Token (JWT) in your application server

Forward Authentication to Authgear Resolver Endpoint

AI Coding tools

Generative AI powered by large language models (LLMs) has revolutionized software development, giving rise to a new paradigm called “Vibe Coding.” This approach empowers individuals with ideas—regardless of their coding expertise—to create software quickly and intuitively. For developers, generative AI automates repetitive tasks, boosts productivity, and even enhances code quality in some cases.

While vibe coding is undeniably exciting, there’s one area where caution is essential: security. AI-generated code can sometimes be buggy or incomplete, and when deployed in real-world applications, critical aspects like user authentication and data protection cannot be left to chance.

Plug-and-Play Security with Authgear

To bridge this gap, Authgear offers a plug-and-play authentication solution that ensures your AI-generated applications are enterprise-grade secure. With the right prompts, developers can integrate robust security features into their projects in seconds. These features include:

: Add an extra layer of security to user accounts.
Email/Phone Verification with OTP: Ensure user identities are verified during sign-up or login.
: Safeguard against unauthorized access attempts.
: Keep malicious bots at bay.

By incorporating Authgear into your vibe coding workflow, you can focus on building innovative applications while ensuring top-notch security for your users.

Tips for using AI Codeing tools:

SAML Attribute Mapping

By default, only the sub field of the UserInfo is included in the SAML assertion. To include other fields like users' email address, phone number, etc., you can set up SAML Attribute Mapping for the fields.

SAML Attribute Mapping allows you to configure your Authgear client application to include additional fields in the SAML assertion. This is a great way to pass additional data from Authgear to your SAML application that depends on Authgear as an Identity Provider.

Authgear supports using SAML attribute mapping to include additional fields in the SAML assertion using any field in the user profile attributes (UserInfo).

There's also support for a template that can be used to customize the values of the fields before including them in the SAML assertion. For example, the template {{.preferred_username}}@example.com will return the preferred_username field from the UserInfo prepended to '@example.com'.

Authentication and Access

Authentication

Implement Authgear to control access to your applications

Authgear simplifies the use of open industry standards like OAuth 2.0, and OIDC. Users can log into your applications with a variety of user login options. This set of how-to guides provides you with detailed instructions, code snippets, and configuration examples for each type of login method.

Change Forgot/Reset Password settings

Configure password reset/account recovery processes.

The Forgot/Reset Password settings tab allows you to configure the behaviour of the account recovery process for your Authgear project.

Enable Reset Password

Select a login method and navigate to the password settings tab. The login method chosen controls how the user can reset their password:

Phone (OTP only)
Email (link or OTP)
Both

If both options are available, the user will be able to choose between using phone or email for account recovery.

Recovery via phone

You can choose how you want the OTP to be delivered. In the following example, the user will receive an OTP via "WhatsApp or SMS". This means the user can select their preferred method during reset.

The valid duration (in seconds) for the OTP or reset link can also be customized. This duration does not determine the minimum delay before resending OTPs or links.

As an example, if OTP is enabled as the recovery method, users will see the following screen to verify their identity during password reset:

Once you're done, save your changes to enable the new configuration.

How to Handle Password While Creating Accounts for Users

Recommended practices for setting password for a user account created on the Authgear Portal

For creating accounts and sending users their passwords using Admin API, see createUser in the Admin API documentation.

In this post, we'll cover a few options and describe examples of automating the process of sending passwords to new users using the Authgear Portal or webhooks.

At this moment, Authgear only sends passwords to email accounts.

For security reasons, it is not recommended to send users their passwords via text. SMS is unencrypted and insecure for transmitting passwords.

How to create a user and send the password via email

Navigate to User Management > Users. From the Users page, click on the Create User button in the top right corner.

Enter the user's credentials and input a secure password you wish to set for the user, or click on Generate to have Authgear automatically create a new password.

What happens if the user loses the preset password?

Users can still log in to their new account if they lose the password you set for them. They can click Forgot Password during login, and an OTP or link will be sent to the user. The user can then set a new password.

Reset Password for Users

Guide on resetting a user's password via the Authgear Portal or AdminAPI

How to reset a user's password via Authgear Portal

In your project, navigate to User Management > Users. Then click on the user whose password you would like to reset.

Go to the user's Account Security tab, and click on Change Password. You can also require the user to change their password on login by enabling the Ask to change password on login toggle.

You can either enter a secure password you wish to set for the user in the Password field, or click on Generate to have Authgear automatically create a new password for the user.

Check the "Send the password to user's email" box to enable Authgear to send the password entered in the Password field to the user.

If you wish to force users to change their password upon logging in with the password you set for them, enable "Ask user to change password on login". Otherwise, users can continue using the password you set for them.

Finally, remember to click Change to save your changes.

How to reset a user's password via AdminAPI

See under Reference > APIs > Admin API > API Queries and Mutations.

What happens if the user loses the preset password?

Add WhatsApp OTP Login

Allow users to log into your app via OTP with WhatsApp, as a secure alternative to SMS

Authgear let your users login passwordlessly with WhatsApp OTP.

To enable this feature from the Portal:

Go to Authentication > Login Methods, we are going make few changes on this page.
In the top section of Select Login Methods, select Mobile.
In Authentication of Select Login Methods, select Passwordless.
In the tabs section below, switch to the tab Verification and OTP.
In the dropdown Verify phone number by, select either WhatsApp or SMS or WhatsApp only.
Press Save on the top left corner.

When the user login with their phone number, a WhatsApp message with an OTP and the app name will be received. They can copy the code by tapping on the "Copy code" button and log in by the code.

If "Verify phone number by WhatsApp or SMS" is enabled, the user can switch to receive the OTP via SMS instead in the login page.

Add Email Magic Link Login

Passwordless login with email links

Email Login Links, also known as "magic link", is a passwordless authentication method that allows users to log into a website or application without using a traditional password. Instead, it relies on a unique link sent to the user's email address.

Here's how it works:

User initiates the login process by entering their email address on the login page.
Authgear generates a unique, time-limited login link associated with the user's email address.
The link is sent to the user's email inbox, with a button prompting them to click on it to log in.
The user clicks on the link, and approve the login
The user is securely logged in to the app or website.

Magic link login offers several advantages. It eliminates the need for users to remember and manage passwords, reducing the risk of weak or reused passwords. It also simplifies the login process and reduces friction, as users only need to access their email to authenticate.

To enable Email Login Links:

In the Authgear Portal, go to "Authentication" > "Login Methods"
Select "Email" or "Mobile/Email" as login methods
Go to the "Verification and OTP" tab

Disable Public Signup

For many business applications, it's important to restrict who can register for your platform. By disabling public signups in Authgear, you can ensure that new users are only added through your internal processes, such as the Admin API or the Authgear Portal.

Disable public signup if you want to:

Control user access and approval for your application.

Custom Authentication Flow

Allow users to authenticate with a custom flow.

In Authgear, you can build your own custom login and sign-up pages instead of using the built-in ones.

In Authentication > Login Methods, if Email and phone number are both enabled, the user will be able to choose between their preferred method during login.

In the example above, the user can choose to signup/login with either an email address or a phone number, but they cannot register with both at the same time.

Single Sign-on Overview

Provide a seamless user experience across multiple applications with the single sign-on feature.

Single sign-on (SSO) is defined as login once, logged in all apps. If you have multiple mobile apps or websites that wants to streamline the user experiences. You can configure your apps to turn on the SSO feature, so the end-users only have to enter their authentication credentials once.

There are multiple ways to achieve Single Sign-on, with various pros-and-cons:

Related Feature

Technical Remarks

Force Authgear to Show Login Page

Force Authgear to always show login page even if the user have already logged in.

When user login / signup to Authgear, it usually starts with your application making a request to the authorization endpoint, which leads to a login or signup screen.

If the user is already signed in on the browser, the Single Sign On feature will show a "Continue Screen" instead as follows.

If your application do not want to utilize the Single Sign On feature, and always show the login / sign up screen instead, you can force Authgear to show login page by using prompt="login" at the authorize endpoint.

Social Login Providers

Connect Apps to GitHub

Prerequisite

Follow the official guide to create a OAuth App.
In "Authorization callback URL", use https://<YOUR_AUTHGEAR_ENDPOINT>/sso/oauth2/callback/github.
After the creation, click "Generate a new client secret". Remember the client secret.

In the portal, go to Authentication > Social / Enterprise Login.
Enable Sign in with GitHub.
Fill in Client ID.
Fill in Client Secret

🎉 Done! You have just added GitHub integration to your apps!

Connect Apps to LinkedIn

Guide on how to add LinkedIn as a social login provider

Prerequisite

A LinkedIn Developer profile. You can create one on the .
LinkedIn App

Enterprise Login Providers

Connect Apps to Azure AD B2C

Prerequisite

Sign in Microsoft Azure.
Create a B2C tenant by following this tutorial.
Enable self-service sign-up for the tenant by following
Go back the main page of and search for "Azure AD B2C"
Create a app registration for Authgear by following .
Configure "Redirect URI" with https://<YOUR_AUTHGEAR_ENDPOINT>/sso/oauth2/callback/azureadb2c.
Follow to create a sign-up and sign-in user flow.
After creating the user flow, configure it

Open "Application Claims".
Make sure "Email Addresses" is checked.

If you have finished the above prerequisite, you should have the following information:

The Tenant Name, obtained in Step 2
The Application (Client) ID, obtained in Step 5
The Policy (User flow) Name, obtained in Step 7

Then in Authgear portal, do the following:

In the portal, go to Authentication > Social / Enterprise Login.
Enable Sign in with Microsoft Azure AD B2C.
Fill in Client ID with the Application (Client) ID above.

🎉 Done! You have just added Azure AD B2C Login to your apps!

Azure AD B2C automatically logs in to the same account without requiring a username and password. To prevent this behaviour, you can use the prompt=login parameter to force Azure AD B2C to show the login page. See our in Authgear SDKs to learn more.

Force Social/Enterprise Login Providers to Show Login Screen

Use OIDC prompt parameter to force OAuth providers to show login screen.

The prompt="login" parameter which is defined in the can prompt Social/Enterprise Login Providers to always show their login screen. As a result, you can use the prompt="login" parameter to allow users to switch accounts when their previous authentication session on the provider is still stored.

In this post, you'll learn how to use prompt: "login" in Authgear SDKs to force OIDC providers to always show your users their login screen. You can also use prompt: "login" to allow users to switch accounts with a Social/Enterprise Login provider on the same device (or browser).

FAQ for Authentication

Tips for Apple App Store Review with Passwordless Login

How to pass the Apple Store review process if your app uses passwordless login.

When you try to publish a mobile app on the Apple AppStore, there will be an . You need provide a demo user account for the reviewers to access the features of the app.

However, passwordless login via email/phone OTP cannot be used in the review because the reviewer do not have access to the email inbox or phone number of that demo account.

To work around this, you can enable "test mode" for a specific phone number or email address that allows the account to authenticate with a fixed OTP (e.g. 000000).

How to enable "test mode"

Phone Number Validation

Use the Phone Number Validation Settings to configure your app to check the phone number your users enter without depending on SMS or WhatsApp for validation and verification.

Under the hood, the Phone Number Validation Settings uses the library. The library can parse, format, and validate phone numbers for all countries/regions in the world.

To access Phone Number Validation settings in your Authgear project, navigate to Authentication > Login Methods in the Authgear Portal.

Next, select a login method that uses mobile phone number as login ID (e.g., Mobile, Mobile/Email, or Custom with phone number enabled as login ID). Then, scroll down to the Phone Number Validation section. Select validate phone number with libphonenumber or validate only the country code and phone number length.

Integration

User Profiles

Mobile Apps

Learn how to integrate Authgear with mobile apps using SDKs and advanced configurations

This section covers mobile-specific integration patterns and configurations for Authgear.

Integration with other Software

FAQ for Integration

Skip Login Screen and Direct Users to Enterprise Login

Learn how to take users directly to an external OAuth provider's authorization page without opening AuthUI login page.

You can use Authgear's x_oauth_provider_alias parameter to add social/enterprise login to your application without showing any AuthUI pages. To do this, you must enable the Social/Enterprise only login method for your project in Authgear Portal.

In this post, you'll learn how to use the x_oauth_provider_alias parameter to skip AuthUI and take users directly to a social/enterprise login provider's authorization page.

Pre-requisite

An Authgear account. Create one for free .

What We Will Build

In this post, we'll walk through the steps for adding only the social/enterprise login method to an Authgear application.
We'll use the Authgear SDK for React Native to set the x_oauth_provider_alias parameter and show how to use x_oauth_provider_alias without the SDK in an example Express app.

The sequence diagram above demonstrates the flow for using x_oauth_provider_alias to skip AuthUI.

First, when the user clicks on the sign-in button, your application will call your Authgear project's authorize endpoint with the x_oauth_provider_alias parameter appended.

Next, when Authgear server receives the call, it redirects to the third-party OAuth (Social/EnterpriseLogin) provider's authorization server. The user is then shown the OAuth provider's login/authorization page for them to grant authorization. Once that is done, the OAuth provider returns an authorization code to Authgear.

In the next step, Authgear exchanges the authorization code for an access token, refresh token, and ID token and then starts creating a new user or logging the existing user in.

The rest of the flow from there involves the usual sending of the authorization code to the client application and the client application exchanging the authorization code for an access token, refresh token, and ID token.

The first step is to add the Social/Enterprise login provider you wish to use to your Authgear project. For our example, we'll be adding Facebook.

To add a new provider, log in to Authgear Portal, select your project, then navigate to Authentication > Social/Enterprise Login.

Next, click on the Edit button, then enter the Client ID and Client Secret for the Social/Entreprise login provider then click Save. Also, note the value for Alias as you'll use it in a later step.

See our guide for instructions on how to get a Client ID and Client Secret for Facebook Login.

An important step for making Authgear to skip AuthUI is to enable the Social/Enterprise only login method. By doing this, Authgear will understand that the only login method your app will use is from a third-party OAuth provider. As a result, it's ok to skip showing AuthUI for login, registration, or login method selection and go to the OAuth provider's authorization page directly.

To enable Social/Enterprise only, navigate to Authentication > Login Methods. Next, select the Social/Enterprise only Login Method and click Save.

Step 3: Set x_oauth_provider_alias Parameter

Now that you've set up everything to allow your application to use only Social/Enterprise Login, you can open Authgear's authorize endpoint with the x_oauth_provider_alias parameter to start an authorization request that will skip AuthUI.

We will show 2 ways to do this. The first is using the SDK and the second is by passing x_oauth_provider_alias as a URL query parameter.

1. Adding x_oauth_provider_alias using Authgear SDK

The following example shows how to add x_oauth_provider_alias using the Authgear React Native SDK:

The key thing about using the above option is the presence of oauthProviderAlias: 'facebook' in the authenticate() method of the Authgear SDK. This parameter tells Authgear to redirect directly to an OAuth provider, given that the Social/Enterprise provider is configured properly as shown in . Also, the Social/Enterprise only Login method is enabled.

Note that the value for oauthProviderAlias must be the Alias for the social/enterprise provider you configured in step 1.

2. Add x_oauth_provider_alias to the Authorization URL

You can manually add x_oauth_provider_alias parameter to the Authgear authorization endpoint when you're not using the Authgear SDK.

The following example shows how to add x_oauth_provider_alias to the Authgear authorization endpoint:

The above code will append &x_oauth_provider_alias=facebook to the authorization URL.

PHP

Authentication for PHP websites with Authgear and OAuth2

Using OAuth, you can use Authgear to add user authentication in a vanilla PHP application.

In this guide, we'll cover how to implement OAuth 2.0 login in a regular PHP web application with Authgear as the Identity Provider.

What You Will Learn

At the end of this post, you'll learn the following:

How to create an Authgear Application
How to enable email and password sign-in
How to sign in with Authgear from a PHP app
How to request user info from Authgear
How to use a refresh token
And finally how to log users out and revoke access tokens.

Prerequisites

To follow along, you'll need the following:

PHP runtime (E.g XAMPP for testing offline on Windows devices)
An Authgear account. for free if you don't have an account yet.
(PHP package manager) installation
Your preferred code editor (e.g VS Code).

What We Will Build

In this guide, we'll build a basic PHP application that lets a user sign in with their registered email and password.

The application will welcome the user with their email address after they sign in successfully. If the user is not signed in, the application will display links to Register or Login.

The following screenshot shows what the User Interface for the app will look like:

How to Add User Authentication to PHP with Authgear

Now let's dive into the actual steps of how to add Authgear to a PHP application.

Part 1: Configure an Authgear Application

Under this section, we will cover the steps for configuring the Authgear application our PHP website will be connecting to. We'll do all these configurations in the Authgear Portal.

Step 1: Set up Authgear Application

The first step you need to take is to create a new application or configure an existing application on the Authgear .

To do that, log in to the Authgear Portal, and select your project (or create a new one if you don't have any yet). From your project dashboard navigate to the Applications section and enter the details for your new application as shown below:

Once you're done, click on the Save button to continue. Then, click on Next to see the configuration page for your application.

The application configuration page contains basic information like Client ID and Client Secret that we'll use later in this tutorial. Hence, try to note the values down.

In addition to basic information, you can find other configuration information including endpoints and Authorized Redirect URIs.

Step 2: Authorized Redirect URIs

The Authorized Redirect URIs section contains a link to the page you want Authgear to redirect users to after login.

Update the value for Authorized Redirect URIs to a page on your application. For our example PHP application the value will be http://localhost because we plan to test run it offline using XAMPP. Also, try to note this value down as we'll be using it in later steps.

Part 2: Implement PHP Project

Here we will cover the steps for implementing a PHP website that interacts with Authgear using the Open ID Connect (OIDC) standard.

Step 1: Create a PHP Project

Create a new PHP project on your computer and add an index.php file to the root of the project folder.

Add the following code to index.php to create the User Interface of the example app.

Note: The Login and Logout links in the above code currently point to login.php and logout.php respectively, we'll create both files later.

Step 2: Add Authgear Configuration to PHP Project

In this step, we'll add our Authgear application configuration to the PHP project.

We'll use the PHP package for the configuration.

Install the package manually from Github or via Composer by running the following command from your PHP project's root directory:

Next, after the package is installed, create a new config.php file in the PHP project folder. Add the following code to the file:

Note: Replace the values for clientId, clientSecret, redirectUri with corresponding values from the Authgear application you created in Step 1.

Including the offline_access scope is required to get a refresh token from Authgear.

The flow for Login on our app is as follows:

The user clicks on the Login button
User is redirected to the Authgear authorization page where they can sign in using email and password or any other sign-in methods you have enabled for your Authgear project.
The user is redirected back to your website with an authorization code.

In order to implement the above, you need to create a login.php file in your project's root directory. Add the following code to the login.php file:

At this point, if you try running the example app in a browser and click the Login link in index.php, your app should redirect to the Authgear login page. If you sign in successfully, you should be redirected back to the redirect URL you specified earlier in your project configuration.

Authgear will redirect to your Authorized Redirect URI with extra parameters like code or an error message in the URL. The value for the code parameter is your authorization code. In the next step, we'll use the authorization code to generate an access token.

Step 4: Get Access Token and Request User Info

Usually, after successful sign-in, you'll want to start using the current user's info to offer custom experience in your app.

In this step, we'll use the PHP OAuth 2.0 Client once more to interact with our Authgear app.

First, open index.php and search for the line with the following code:

Replace the above line with this code:

The above code exchanges the authorization code returned in the redirect for an access token. It then stores the access token in the PHP session so that we can use this token in future requests to protected resources.

Now that we have the access token, let's try to get the current user's details. To do that, update the HTML part in index.php like this:

Now test the app on your browser again and you should get the following page after login:

We've successfully added user authentication to our PHP app using Authgear as the identity provider. The above page displays a welcome message with the email address the user registered with on your Authgear project. You can display other info about the user from the value of $userInfo variable.

Step 5: Getting and Using a Refresh Token

In OAuth 2.0, a refresh token is a key that's usually included in the response from the token endpoint when a client application exchanges the authorization code for an access token.

Access tokens expire after some time. Hence, we can use this refresh token to request a new access token without requiring our application users to log in again. In this step, we'll show you how to use the refresh token.

In the last step, we stored the value for the refresh token in the $_SESSION['refreshToken'] variable. So, to get the refresh token, simply read the value from that variable.

Now, add the following code to index.php to read and use the refresh token to get a new access token:

First, find the line with the following code:

Replace that line with the following blocks of code:

Note: It is required to include offline_access in your OAuth 2.0 scopes to get a refresh token from Authgear.

Step 6: Logout

Authgear provides a token revoke endpoint that you can use to revoke a refresh token and all the access associated with it.

To use the token revoke endpoint to log users out of your application, create a new logout.php file in your project directory then add the following code to the file:

The above code will revoke your refresh token and delete all the session variables.

Summary

In this post, we covered how to get started with adding Authgear to a regular web app built with PHP and no framework.

We also tried out an example of using the Authgear authorization code to retrieve an access token, then we used the token to access the user info endpoint.

Here's a link complete source code for .

There's so much more you can do with Authgear and you can continue learning by checking out more topics on the .

Python Flask App

Authentication for a Python web application

This guide demonstrates how to add authentication with Authgear to a Python web application built with the Flask framework using the Authlib OAuth library. The full source code for this sample project can be found on the GitHub repo.

Learning objectives

You will learn the following:

How to create an app on Authgear.
How to enable Email-based login.
Add sign-up and login features to the Flask app.

Prerequisites

Before you begin, you'll need the following:

A free Authgear account. if you don't have one already.
Make sure that 3.10 or above is installed on your machine.
Download and Install to manage project packages.

Part 1: Configure Authgear

To use Authgear services, you’ll need to have an application set up in the Authgear . This setup allows users in Authgear to sign in to the Flask application automatically once they are authenticated by Authgear.

Step 1: Configure an application

To set up the application, navigate to the and select Applications on the left-hand navigation bar. Use the interactive selector to create a new Authgear OIDC Client application or select an existing application that represents the project you want to integrate with.

Every application in Authgear is assigned an alphanumeric, unique client ID that your application code will use to call Authgear APIs through the Authlib client library in the Flask app. Record the generated Authgear Issuer Domain (for example, example-auth.authgear-apps.com), CLIENT ID, CLIENT SECRET from the output. You will use these values in Part 2 for the Flask app config.

Step 2: Configure Redirect URI

An Authorized Redirect URI of your application is the URL that Authgear will redirect to after the user has authenticated in the Authgear to complete the authentication process. In our case, it will be a home page for our Flask and it will run at .

Set the following to the Authorized Redirect URIs field. If not set, users will not be returned to your application after they log in.

After you create the Authgear app, you choose how users need to authenticate on the login page. From the Authentication tab, navigate to Login Methods, you can choose a login method from various options including, by email, mobile, or social, just using a username or the custom method you specify. For this demo, we choose the Email+Passwordless approach where our users are asked to register an account and log in by using their emails. They will receive a One-time password (OTP) to their emails and verify the code to use the app.

Part 2: Create a Flask application

Next, create a Flask application with a single page and routes for home, callback, login, and logout flows.

Step 1: Configure an .env file

Start with creating a requirements.txt file in your project directory:

Run pip install -r requirements.txt from your command-line interface to make these dependencies available to the Python project.

Step 2: Setup the application

Create a server.py file in the project directory that contains application logic. Add the necessary libraries the application uses.

Load the configuration .env file to use values such as AUTHGEAR_CLIENT_ID AUTHGEAR_CLIENT_SECRET, AUTHGEAR_DOMAIN and APP_SECRET_KEY in the app.

Configure Authlib to handle the application's authentication with Authgear based on OIDC:

Step 3: Setup the application routes

When visitors to the app visit the /login route, they'll be redirected to Authgear to begin the authentication flow.

Once users complete the login process using Authgear, they will be redirected back to the application's /callback route. This route ensures that the user's session is saved, so they won't need to log in again during subsequent visits.

Refresh Token

Calling the authorize_access_token() method of the Flask Authlib package will include a refresh token in the token response, provided your Flask application has offline_access as one of the OAuth 2.0 scopes.

Authlib will also use the refresh token to obtain a new access token automatically when the current access token has expired.

Logout

The route /logout manages the user's logout process from the application. It clears the user's session within the app and momentarily redirects to Authgear's logout endpoint to guarantee a thorough session clearance. After this, users are navigated back to your home route (which we'll discuss shortly).

The home route will either display the details of a logged-in user or provide an option for visitors to sign in.

Step 4: Add UI page

Create a new sub-directory in the project folder named templates, and create a file home.html.

Step 5: Run the application

Run the application from the project root directory:

python server.py

The application should now be accessible to open from a browser at .

Next steps

There is so much more you can do with Authgear. Explore other means of login methods such as using in an email, , or . For the current application, you can also from the Authgear portal.

Use the OAuth 2.0 State Parameter

Reference on what the OAuth 2.0 parameter is and how to use it in Authgear SDK.

The OAuth 2.0 framework includes an optional state parameter. The value of the state parameter can be any random string or number defined by a client application (e.g. a web or mobile that uses Authgear for user authentication) before making an authorization request. In fact, the state parameter is added to the authorization URL as a URL query.

The authorization server (Authgear) will include the value of the state parameter when redirecting the user-agent back to the client application. As a result, the client application can retrieve the value of state returned to verify that it is the origin of the authorization request.

In this post, we'll cover some possible usage of the state parameter and how to include the state parameter in an authorization request to the Authgear server.

Use cases of the State Parameter

The following are some use cases of the OAuth 2.0 state parameter.

Because the value for the state parameter passed at the beginning of an authorization request is returned unchanged after authorization, you can use this behavior to customize the post-login or sign-up user experience.

For example, you can show users some custom messages after they sign up or log in, using a special link that was sent to them via email or SMS. The "special" thing in the link would be the value of a query parameter that can be passed in the state parameter.

Then, a client application can read the value of the state parameter and based on that, determine when and how to display the custom message or user experience.

2. Analytics

Another possible use of the state parameter is analytics and tracking user behavior. You can use the state token to include a unique key that tracks your campaigns. This way, you can know the number of users who sign up or log in to your application from a particular campaign.

You can also use the value you specify in the state parameter in an analytic tool (for example, as id in the identify(id) function) to track user's behavior pre-login and post-login.

To learn more about using the state parameter for tracking user behavior, see our detailed guide .

3. Security: To Prevent Cross-site Request Forgery (CSRF)

Cross-site Request Forgery or short CSRF is a type of web security vulnerability where the attacker uses malicious means to trick a user into performing undesired actions on sites they use and trust. This type of attack usually targets users who are signed in and attempts to compromise access to their protected resources.

In OAuth, an attacker can perform a Cross-site Request Forgery using the client application's redirect URI. The attacker can trick a user into using a redirect URI that contains their authorization code or access token. Hence the user will end up using the access token and protected resources of the attacker. When they save new data using this access token, the attacker can also view them (as they are the original owner of the protected resources).

The official Authgear SDKs have mechanisms for protecting your applications from CSRF built into them.

However, if you are not using the official SDK, you can secure your application by generating a random hard-to-guess value on the client application and passing it in the state parameter. Your application should store this value securely on the user's client-side using session cookies or some other form of local storage. Then, verify the state parameter in the redirect URI against the value stored locally to confirm that a user-agent is the origin of an authorization request before exchanging the authorization code for an access token.

Examples: Including the State Parameter in Authorization Request

The following URL shows an example of an authorization request URL:

As you can see from the above URL, state is a query parameter in addition to other parameters like the client_id and redirect_uri.

If you're constructing the authorization URL manually, you can include the state parameter by simply appending "&state=random_state_value" to the authorization URL.

Alternatively, if you're using any of the Authgear SDKs, you can use the built-in state field to set a value.

The following code samples show the use of the state parameter with Authgear.

Step 1: Set up a React Project to use Authgear

Create a new React project or use an existing project and configure the project to use Authgear. The following example is based on our .

First, install the Authgear web SDK by running the following command:

Next, configure Authgear in your React Project's index.tsx file like this:

Step 2: Include State Parameter in Authorization Request

Set the state field in your call to the startAuthentication() method of the Authgear SDK to a random hard-to-guess value based on your use case.

Step 3: Read and Use the Value of State Returned After the Authorization

Implement the component that handles your OAuth 2.0 redirect like this:

Customize the Login Pop-up / Disable the login alert box

Learn how to switch between ASWebAuthenticationSession/Custom Tabs to WebKitWebView using Authgear Mobile SDKs.

The default of the Authgear Mobile SDKs is to launch AuthUI in ASWebAuthenticationSession in iOS and Custom Tabs in Android. ASWebAuthentication is an API provided by Apple for login purpose. It will store the session cookie and share with Safari, which makes Single Sign-on (SSO) between mobile apps and web apps possible.

However, it requires user consent, and will display a login alert box:

There are multiple ways you can avoid the login alert box:

1. Use ephemeral sessions

If you do not need SSO between mobile and web apps, you can disable it by setting isSSOEnabled = false.

It will not share the session cookies between your app and Safari. And the login alert box will not show to prompt user consent.

2. Use WebKitUIImplementation

The mobile SDKs include WebKitWebViewUIImplementation, a UIImplementation which makes it possible to customize more UI.

Depending on the platforms, there are various alternatives:

iOS: WKWebViewUIImplementation
Other platforms / Android: WebKitWebViewUIImplementation

Setting the uiImplementation attribute in the configure() method of the Authgear SDK to WebKitWebViewUIImplementation() will open AuthUI using on iOS and on Android.

Omitting the uiImplementation attribute in the configure() method will fall back to the default behavior (launching AuthUI in ASWebAuthenticationSession/Custom Tabs, which is DeviceBrowserUIImplementation).

Example Code

The following examples show how to set the uiImplementation attribute.

Setting uiImplementation to WebKitWebViewUIImplementation in the above example will change the behavior of your application from using ASWebAuthenticationSession on iOS and Custom Tabs on Android to using WKWebView and android.webkit.WebView respectively.

To set uiImplementation to WKWebView in the native iOS SDK, use WKWebViewUIImplementation .

Customizing the WebKitWebView UI

WebKitWebViewUIImplementation allows you to customize some parts of the UI. You can do this by passing your customization options as parameters in WebKitWebViewUIImplementation(). You can customize the following parts of the UI:

Android

actionBarBackgroundColor: Use this option to customize the color of the action bar on the WebView Activity screen. The value should be of type integer according to this encoding:
actionBarButtonTintColor: This option can be used to set the color of the icons and texts on the action bar. The value should also be of type integer and use the encoding here: .

iOS

navigationBarBackgroundColor: This option can be used to customize the color of the navigation bar on iOS. The value should be of type or an integer (React Native or Ionic SDKs) using the following encoding: .
navigationBarButtonTintColor: This option sets the color of icons and texts on the navigation bar. The value should also be UIColor or an integer (React Native or Ionic SDKs) using the same encoding as navigationBarBackgroundColor.
modalPresentationStyle

The following examples show how to set custom background color, tint color, and modal presentation style.

3. Implement Custom UIImplementation

You can implement your own custom UIImplementation when the WebKitWebViewUIImplementation does not meet the requirements of your use case.

The WebKitWebViewUIImplementation class itself is basically a class that implements UIImplementation and overrides the openAuthorizationURL()method. Hence your custom implementation may look like this:

Then, you can use your custom implementation like this:

To get a deeper understanding of how to implement your UIImplementation, see the code for the implementation.

Unsupported Features

When you drop the default DeviceBrowserUIImplementation to use your own custom UI implementation that uses WebView, it is important to note that you'll be losing the following features, due to iOS or other security limitations.

Login with Google: Google prohibits the use of WebKitWebView with the Google SSO. Learn more here: . As a result WebKitWebViewUIImplementation and Google SSO cannot be used together.
Passkey: Passkey is not supported in WebKitWebView.

Add authentication to any web page

Learn how to add authentication to any web page without using Authgear's SDKs with IIFE(Immediately-invoked Function Expression) bundle

In this guide, you'll make a simple website server to host the SPA app using ExpressJS. We'll also use it to serve our HTML page and any assets it needs, like JavaScript, CSS, and so on. You can also view a full-source code on the GitHub repo.

Prerequisites

Before we start, ensure you have Node.js installed in your system. If not, download and install it from the .
An Authgear account: You need an Authgear account to follow this guide. If you don't have one, you can on the Authgear website.
A Registered App: You need a registered application type (Single Page Application) in Authgear. Follow the guide and skip part. You will retrieve the Authgear Web SDK from Authgear's CDN using IIFE(Immediately-invoked Function Expression) bundle and reference a script in our HTML directly.

Create a basic web server

Start with making a new folder on your computer to keep the app’s source code (In the example, we call it authgear-spa-js-login). Then, initialize a new NPM project by running the following command:

Next, we install two required packages:

Also, install so that our server can be restarted automatically on any code changes in dev mode:

Next, open the package.json file and edit scripts entry to have start and dev commands like the below:

Now you can run the app in two modes: prod and dev.

For example, npm run dev will run the application using nodemon, monitoring for changes as we modify files.

Creating server.js

Create a new file server.js in the root of the project and populate it with the following code:

Create a basic HTML page

Create a index.html file in the root of the project and add the following content to the created file:

We do not use a package manager such as , we will retrieve the Authgear Web SDK from Authgear's CDN using IIFE(Immediately-invoked Function Expression) bundle. We can reference a script in our HTML directly:

You can install the Authgear Web SDK as a dependency of your application, it is useful if you are building React or React Native apps. See how to .

Create a main.css file

Create a new folder called public folder in the project root folder and create another folder called css inside the public folder. Add a new file in there called main.css. This will be used to determine how the log-in and log-out button elements will be hidden on the main page depending on whether a user is authenticated or not.

Open the newly-created public/css/main.css file and add the following CSS:

After creating an HTML file and applying CSS styles, see now how our page looks like by running npm run dev and accessing it at http://localhost:3000.

Create an app.js file

To add some action to the page, we create a new directory in the public folder called js, and add a new file there called app.js. Copy and paste the following JS code that reads authgear_config.json file Authgear app-specific values (endpoint and clientId) from the endpoint using fetchAuthConfig function. Also, it configures a new Authgear client, and defines login and logout logic:

Understanding the whole picture

Let’s breakdown down app.js code in the previous section and understand how authentication is achieved with Authgear:

Configure the Authgear client

fetchAuthConfig: Firstly, this function makes a request to the /authgear_config.json the endpoint we exposed in server.js to fetch Authgear app setting values from authgear_config.jsonfile.

configureClient: Once we retrieve the configuration information for the Authgear client from the authgear_config.json file and we set up the Authgear client with these settings. It also logs a message to the console, informing whether the configuration was successful or not.

Login flow

login: The function is called by the Login button previously defined on the HTML page. It performs the login action by calling authgearClient.startAuthentication Authgear’s function. It redirects the user to the Auhthgear login page. After the user logs in successfully, they will be redirected back to the same page we set in redirectURI. Run the project and click the Login button. You should be taken to the Authgear Login Page configured for your application.

Go ahead and create a new user or log in using an email (we specified the Passwordless Email login method in the first part). When you try to log in with your email, you should receive a to your email box to confirm login operation.

After authenticating successfully, you will be redirected to the page you were before.

Logout flow

logout: This function logs the user out and redirects them back to the original page (at). It uses Authgear’s logout function and logs a message to the console indicating the result of the operation.

Update the UI

window.onload: This is a function that runs when the page loads. It configures the Authgear client and updates the UI. If the page's URL contains a "code=" it means the user is authenticated (code the query will be received from the Authgear server), it updates the UI again and removes the "code=" from the URL.

Evaluate the authentication state

updateUI: This function updates the status of the login and logout buttons based on whether the user is authenticated or not. In Authgear, you can check if the user has logged in or not with sessionState the attribute. If the user is authenticated, we disable the login button and enable the logout button, and vice versa if the user is not authenticated.

iOS SDK

Integrate your iOS application with Authgear iOS SDK

This guide provides instructions on integrating Authgear with an iOS app. Supported platforms include:

iOS 11.0 or higher

Follow this guide to add Authgear to your iOS app in 🕐 10 minutes.

You can find the full code for the demo app for this tutorial in this Github repo

Setup Application in Authgear

From the Project listing, create a new Project or select an existing Project. After that, we will need to create an Authgear client application in the project.

Step 1: Create an application in the Portal

Go to Applications on the left menu bar.

Click ⊕Add Application in the top toolbar.

Input the name of your application and select Native App as the application type. Click "Save".

You will see a list of guides that can help you for setting up, then click "Next".

Step 2: Configure the application

Here you'll need to define a custom URI scheme that Authgear will use to redirect users back to your app after authentication. For our example app, this URL Scheme will be com.example.authgeardemo://host/path. For further instructions on setting up a custom URI scheme in iOS, see the official documentation .

Head back to Authgear Portal, and add com.example.authgeardemo://host/path as Redirect URI.

Click "Save" button and note the Client ID. and Endpoint for your new client application as you'll use them later in your iOS application. You can also obtain the Client ID again from the Applications list later.

Add Authgear to your iOS Application

In this step, we'll add user authentication to a simple iOS app using the Authgear iOS SDK and the client application we created in the previous steps.

Pre-requisites

To follow the steps in this guide seamlessly, you should have the following:

(Latest Version)
Some knowledge of SwiftUI

Step 1: Create new iOS project

For the purpose of this guide, we'll create a new project in Xcode. Skip this step if you're adding Authgear to your existing app.

To create a new project, open Xcode and navigate to File > New > Project. Create your new project with the following details:

Project Name: my_demo_app
choose SwiftUI as Interface Leave other fields unchanged and proceed to create the project.

Step 2: Install Authgear SDK

The Authgear iOS SDK makes it easy to interact with Authgear services from your iOS project.

To add Authgear SDK to your project, in Xcode navigate to File > Add Package Dependencies and enter https://github.com/authgear/authgear-sdk-ios.git in the Package URL text field.

Click Add Package to proceed.

On the next screen, select your application under Add to Target then click on Add Package.

Alternatively, if your project uses cocoapods, install the SDK using:

Step 3: Initialize Authgear SDK

In this step, we'll initialize an instance of the Authgear SDK when the user interface of our app loads.

In a production app, you may want to initialize Authgear at the entry point of your app. E.g. For SwiftUI projects, this is usually a file with a name like YourProjectNameApp.swift or AppDelegate for storyboard projects.

For our demo app, add the following code to ContentView.swift

First import Authgear iOS SDK:

In struct ContentView: View {}, initialize an instance of Authgear() and call the .configure() method in an .onAppear() modifier attached to VStack like this:

Replace "<CLIENT_ID>" and "<AUTHGEAR_ENDPOINT>" with the client ID and endpoint from the configuration page of the client project you .

Now let's add the Login button and other UI elements for the demo app.

Add the following views to VStack:

In addition to the Login button, we've included a ProgressView and a block with views we want only logged-in users to see. Create the isLoading , userId and loginState variables that the if-statement and Text view depend on at the top of the class just after private var authgear: Authgear = Authgear(...):

Step 5: Start Authentication Flow

Implement a startAuthentication() method in your ContentView class that will call the authenticate() method of the Authgear SDK:

In order to get your app to build at this point, add empty declarations for logout and openUserSettings methods:

The full code for ContentView.swift at this point should look like this:

Checkpoint

Run your app now. When you click on the Login button, you should be redirected to the user authentication page.

Step 6: Register URI Schema for Redirect URI

Open your project's Info.plist or project settings UI in Xcode and add the following:

Navigate to Targets > {Your project} > Info and expand the URL Types section.

Add a new URL scheme with the following details:

Identifier: CFBundleURLTypes

URL Schemes: com.example.authgeardemo://host/path

Role: Editor

Now run your app again and try logging in. Because we've set up a redirect URL, Authgear should redirect back to our app correctly.

Step 7: Implement Logout method

Implement the logout method that will be executed when the Logout button is clicked by updating the empty logout function we added in the previous step:

Now clicking on the Logout button will call Authgear SDK's logout method and end the current user session.

Step 8: Show the user information

In some cases, you may need to obtain current user info through the SDK. (e.g. Display email address in the UI). Use the fetchUserInfo function to obtain the user info, see .

The Authgear SDK can return the current user's details via the UserInfo object. The authenticate method returns this userInfo object as demonstrated earlier in our app's startAuthentication() method. You can also call the SDK's .fetchUserInfo() method to get the UserInfo object.

Add a new getCurrentUser() method to your ContentView class:

Now call the new getCurrentUser() method in the .onAppear() modifier of the VStack like this:

This will make your app refresh the access token and greet users who are already logged in with their sub (a unique user ID) when the launch the app. You can read other user attributes like email address, phone number, full name, etc. from .

Step 9: Open User Settings page

Authgear offers a pre-built User Settings page that user's can use to view, and modify their profile attributes and security settings.

Implement the empty openUserSettings() method we added in the previous step to call the .open() method of the Authgear SDK:

Get the Logged In State

When you start launching the application. You may want to know if the user has logged in. (e.g. Show users a Login button if they haven't logged in).

The sessionState reflects the user logged-in state in the SDK local state. That means even if the sessionState is .authenticated, the session may be invalid if it is revoked remotely. Hence, after initializing the Authgear SDK, call fetchUserInfo to update the sessionState as soon as it is proper to do so. We demonstrated how to use sessionState, and fetchUserInfo, to get a user's true logged-in state and retrieve their UserInfo in .

The value of sessionState can be .unknown, .noSession or .authenticated. Initially, the sessionState is .unknown. After a call to authgear.configure, the session state would become .authenticated if a previous session was found, or .noSession if such session was not found.

Using the Access Token in HTTP Requests

Next steps

To protect your application server from unauthorized access. You will need to integrate your backend with Authgear.

iOS SDK Reference

For detailed documentation on the iOS SDK, visit .

Express

Authentication for Express.JS apps with Authgear and OAuth2

Authgear makes it easy to add user authentication to a regular web app that is not powered by any framework. You can do this by integrating Authgear into your application as an OIDC identity provider.

In this post, you'll learn how to add user authentication to an Express.js application using Authgear.

What You Will Learn

How to create an Authgear Application.
How to add User Login to an Express app using Authgear.
How to request user info from Authgear.

Pre-requisites

You'll need the following to follow along with this tutorial:

Node.js Installed
A free Authgear account. Sign up for one .

Follow this guide to add user authentication to an Express application using Authgear in 🕐 15-minute.

Check out and clone .

Setup Application in Authgear

Create an application in the Portal

In this step, we'll create the Authgear client application that we'll use later to connect Authgear to the Express application.

After you log in to Authgear Portal, select a project then navigate to Applications on the left menu bar.

Next, click on the ⊕Add Application button on the top toolbar to open the New Application page.

Enter an application name (for example: "My App") and select OIDC/SAML Client Application as the Application Type. Click Save to create the app.

On the next screen, you'll see links to tutorials for different frameworks. Click Next to skip to the application configuration page.

Note the Client ID and Client Secret for your new application as you'll use in a later step to configure your Express app.

Configure Authorize Redirect URI

The Authorized Redirect URI should be a page on your Express application where you make an HTTP(S) request to the Authgear token endpoint and exchange an Authorization Code for an Access Token.

For our demo Express application for this guide, this URL will be http://localhost:3000/auth-redirect. So, scroll to the URI section of your application configuration page in the Authgear Portal and add http://localhost:3000/auth-redirect as an authorized redirect URI.

Click Save to keep your changes.

How to Add User Authentication to Express.js App using Authgear

In this section, we'll be building a simple Express app that has the following features:

A landing page with a login link that takes users to the login route.
A /start-login route that initiates the authentication flow.
Logic that exchanges the authorization code from Authgear for an access token.
A page that uses that access token to fetch user info from Authgear.

Step 1: Create Express App

It is now time to create the Express app that will be connecting to our Authgear client application. Run the following commands to create a new folder for the project and set it as your current working directory:

Install basic project dependencies

Next, install the Express npm package and other dependency packages like axios, nodemon, session, and dotenv.

We'll be using the axios library to make HTTP requests in the example app. We'll also use nodemon to add hot reload to our development environment. Run the following commands from the root of your Express project directory to install Express and other dependencies:

Create `app.js` file

Once Express and the other dependencies are installed, create a new app.js file in the root of your project folder and add the following code to the file:

Update package.json

Add the following code to the scripts section of the package.json file in the root directory of your Express project:

Checkpoint

Now run the npm run dev command and you should get a page like this on a web browser when you visit localhost:3000:

Here we'll be implementing the login route in our Express app. This route will initiate the authentication flow by redirecting the user's browser to the login page (AuthUI). This process involves redirecting the user to your Authgear project/client application's authorization URL (https://<AUTHGEAR_ENDPOINT>/oauth2/authorize ).

Update the code for the app.get("/login", ...) route to the following:

Create a .env file on the root directory of your project and add your Authgear client application configuration (Client ID, secret, endpoint) using the following fields:

You can get the value for Client ID and Client Secret from the configuration page for the client application you created in the earlier step, . The Authgear Endpoint looks like https://project_id.authgear.cloudif you are using Authgear Cloud version.

Now if you save your code and restart your app, clicking on the Login link should redirect to the Authgear authorization page.

On successful login, an authorization code will be sent back to your Express application.

Step 3: Exchange Authorization Code For Access Token

After the user logs in and grants authorization to your app on the Login page, they are redirected back to the . In addition to this redirect, an authorization code is sent via a code URL query parameter.

In this step, we will be exchanging the authorization code for an access code that users can later use to access protected resources.

Update the code for the app.get("/auth-redirect", ...) route to the following:

The above code sends an HTTP POST request to the token endpoint (https://<AUTHGEAR_ENDPOINT>/oauth2/token). The authorization code we got from the previous step is sent along with other client credentials in the HTTP request body. The header should contain "Content-Type": "application/x-www-form-urlencoded"

A valid access token is returned in the response to the HTTP(S) request in response.data.access_token. In the above code sample, we've saved this access token temporally using express-session so we can access it from "/" route after redirecting the user.

We can now use this access token to make authenticated requests to protected resources in our app or from the Authgear User Info endpoint. In the next step, we'll attempt to get the current user's info from Authgear using the access token.

Step 4: Get User Info

Authgear provides an endpoint where your application can request user info (https://<AUTHGEAR_ENDPOINT>/oauth2/userinfo). This endpoint will return the user's details on Authgear like their email address, gender, full name, and more.

To get user info in our example app, update the app.get("/", ...) app.js, to use the following conditional statement to render a different block of code when a valid access token is set for the current session:

Here our app sends another HTTP(S) request, but this time to the user info endpoint and the request type is GET. The access token is sent as a Bearer authorization header.

At this point, save all changes and restart the application. Try logging in all over again, at the end you should be greeted with "Welcome [your email address]" and a dump of the response from the UserInfo endpoint if the access token in your authorization header is valid.

Step 5: Logout

To allow your users log out, add a new /logout route to your Express application. Within the route, you'll implement code that will call express-session destroy() method to delete the access token from the session. Then you'll redirect the user to Authgear's logout endpoint to log the user's session on Authgear.

To redirect the user back to your Express app after they logout, add http://localhost:3000 as a Post Logout Redirect URI for your client application in Authgear Portal.

Your implementation of the logout route should look like this:

Finally, place a link to the logout route below the </prev> tag using the following code:

Step 6: Refresh Access Token

An access token is usually only valid for a short period. However, you can use the refresh token, also included in the response from the token endpoint in to request a new access token.

Note that you must include offline_access in the scope parameter of your authorization request to get a refresh token from Authgear.

We recommend that you check that an access token is still valid before using it in your authorization header to access protected resources like the User Info endpoint.

To add the capability of refreshing an expired access token to our Express app, add the following function to app.js:

Next, find the following line within the app.get("/auth-redirect", ...) route:

Add the following code just after the above line:

The above code will store the values of refresh_token and expires_in that were returned in in express-session. To convert expire_in to a time in the future, we multiply it by 1000 and add that to the current time.

Finally, find the following line in the app.get("/", ...) route:

Replace the above line with the following code:

Now our Express app gets an access token by first calling the new refreshAccessTokenIfExpired() method. If the current access token is expired, the method will make a request to Authgear's token endpoint for a new access token. This request needs to have a grant_type of refresh_token, and the refresh_token should be included in the POST request body.

See more about refreshing access tokens .

Next steps, Calling an API

To access restricted resources on your backend application server, the HTTP requests should include the access token in their Authorization headers.

For example:

Conclusion

And there you have it, you've successfully added user authentication to your Express app using Authgear as the OAuth provider.

You can add so much more to your app with the new Authgear authentication, like protecting your own app endpoint with the access code. You can also store the access token securely to persist the user session using express-session and cookies.

Here's a link to the complete code for .

Android SDK

How to use authgear android SDK

This guide provides instructions on integrating Authgear with an Android app. Supported platforms include:

Android 5.0 (API 21) or higher

Follow this guide to add Authgear to your Android app in 🕐 10 minutes.

You can find the full code for the demo app for this tutorial in this Github repo

Setup Application in Authgear

From the Project listing, create a new Project or select an existing Project. After that, we will need to create an application in the project.

Step 1: Create an application in the Portal

Go to Applications on the left menu bar.

Click ⊕Add Application in the top toolbar.

Input the name of your application and select Native App as the application type. Click "Save".

You will see a list of guides that can help you for setting up, then click "Next".

Step 2: Configure the application

Define a custom URI scheme that Authgear will use to redirect users back to your app after they have authenticated. The scheme should be based on the package name for your Android app. For the demo app, we'll be creating in this guide the scheme is: com.example.authgeardemo://host/path. To learn more about setting up a custom URI scheme in Android, see the official documentation .

Head back to Authgear Portal, and add the URL scheme you have defined as a Redirect URI. For our demo app, add the following URI:

Click "Save" in the top toolbar and note the Client ID as you'll use it later in your Android app. You can also obtain it again from the Applications list later.

Add Authgear to an Android Application

In this step, we'll add user authentication to an Android application using the Authgear client application we set up in the previous steps.

Pre-requisites

To follow along, you need to have the following:

Android Studio installed on your computer
Basic knowledge of Kotlin or Java

Step 1: Create an Android App project

For the purpose of this guide, we'll be creating a new simple Android app project. Feel free to skip this step if you are adding Authgear to your existing app.

Open Android Studio and create a new project with the following details:

Select Empty View Activity on the Activity selection screen.
Name: My Dem App
Build configuration language: Groovy DSL

The reason for recommending you use Groovy DSL as Build configuration language for this guide is to make it easier to copy and paste the Gradle configurations we've provided without having to make many rewrites.

Step 2: Add Authgear SDK to your project

The Authgear Android SDK makes it easier to interact with Authgear endpoints and services from your Android app.

To add the SDK to your app, first, add the jitpack.io repository to your project by adding the following to your project's settings.gradle file:

Next, add authgear in the dependencies section of your app-level (/app/build.gradle) build.gradle. Use $branch-SNAPSHOT (e.g. main-SNAPSHOT) for the latest version in a branch or a release tag/git commit hash of the desired version.

Replace SNAPSHOT with the latest version of the Authgear SDK from: . For example, replacing SNAPSHOT with 2024-12-11.0 to use the latest version at the time of writing this.

Enable Java 8+ API desugaring support

To enable Java 8+ API desugaring support for your project, make the following changes to the app-level build.gradle file.

Add coreLibraryDesugaringEnabled true to the android > compileOptions section:

Then add the coreLibraryDesugaring to the dependencies section:

Learn more about Java 8+ API desugaring support .

Sync Gradle to continue.

Step 3: Initialize Authgear

In this step, we'll initialize Authgear in the onCreate method of our app's MainActivity.kt class using a member variable. Alternatively, you can initialize Authgear in any class that's the entry point for your app:

First, declare a member variable authgear like this:

Next, we'll initialize a new instance of the Authgear SDK and call the configure() method in the onCreate function.

Replace <CLIENT_ID> and <ENDPOINT> with the values from the configuration page of your Authgear client application.

The complete code for MainActivity.kt at this point should look like this:

Import any class that shows as unresolved.

In this step, we'll add a login button that when the user taps on will open the login/sign-up page.

Open res/layout/activity_main.xml and delete the default "Hello World!" TextView.

Switch to the code view of activity_main.xml and add the login button and a TextView inside the root view (ConstraintsLayout).

Also, add the following views to activity_main.xml to include a Progress Bar, a User Settings button, and a Logout button that will be visible to a logged-in user.

The complete content of activity_main.xml can be found .

Enable View Binding

Next, set up so that you can easily reference Views in your MainActivity.kt file. Add the following to your app-level (/app/build.gradle) build.gradle file under the android block to enable view binding:

Create a binding member variable in MainActivity.kt and modify the onCreate() method as shown below to use view binding in setContentView:

Step 5: Start the authentication flow

Create a startLogin() method in the MainActivity.kt inside class MainActivity : AppCompatActivity(){}. This method will call the Authgear SDK's authenticate() method to start a new authentication flow.

Next, implement the updateUi() method that was called in startLogin(). This function will update the Views on the screen when the user's logged-in state changes.

The updateUi() method also calls the fetchUserInfo() method of the Authgear SDK. This will return the of the current user such as their email address, name, etc.

Finally, call the startLogin() method on click of the Login button by adding an onClickListener in the onCreate() method.

Checkpoint

At this point, if you try to run your application on a mobile device or emulator, you should be able to see the authentication UI (login/sign-up page) when you click on the Login button. However, you will be unable to complete authentication at this point because you have not implemented the activity that handles the Redirect URI.

Step 6: Setup Redirect URI for Your Android App

Add the following activity entry to the AndroidManifest.xml of your app. The intent system would dispatch the redirect URI to OAuthRedirectActivity and the SDK would handle the rest.

Targeting API level 30 or above (Android 11 or above)

If your Android app is targeting API level 30 or above (Android 11 or above), you need to add a queries section to AndroidManifest.xml.

Step 7: Implement User Logout

Add a logout() method to your MainActivity.kt class that will call the Authgear SDK's logout() method and end the current user session.

Finally, add an onClickListener for the Logout button that calls the above logout() method in the onCreate() method.

Step 7: Open User Settings Page

Authgear offers a pre-built User Settings page that user's can use to view, modify their profile attributes and security settings.

Add the following openUserSettings() method to your MainActivity.kt class:

Then add an onClickListener for the User Settings button in the onCreate() method that calls the above openUserSettings() method.

Additional Actions

Get the Logged In State

You can use the user's logged-in state to determine whether a user is logged in and display content like their user info and a logout button as we have done in the updateUi() method in . The SessionState reflects the user logged-in state in the SDK local state. That means even if the SessionState is AUTHENTICATED, the session may be invalid if it is revoked remotely. After initializing the Authgear SDK, call fetchUserInfo to update the SessionState as soon as it is proper to do so.

The value of SessionState can be UNKNOWN, NO_SESSION or AUTHENTICATED. Initially, the sessionState is UNKNOWN. After a call to authgear.configure, the session state would become AUTHENTICATED if a previous session was found, or NO_SESSION if such session was not found.

Fetching User Info

In some cases, you may need to obtain current user info through the SDK. (e.g. Display email address in the UI as we did in ). Use the fetchUserInfo function to obtain the user info, see .

Using the Access Token in HTTP Requests

Call refreshAccessTokenIfNeeded every time before using the access token, the function will check and make the network call only if the access token has expired. Include the access token in the Authorization header of your application request. If you are using OKHttp in your project, you can also use the interceptor extension provided by the SDK, see .

Next steps

To protect your application server from unauthorized access. You will need to .

Android SDK Reference

For detailed documentation on the Flutter SDK, visit

Footnote

[^1]: For further instruction on setting up custom URI scheme in Android, see [^2]: For more explanation on JWT, see

Next.js

Authentication for Next.js app with Authgear

In this guide, you'll learn how to implement authentication for the Next.js application, a popular React-based framework for JavaScript, and Authgear as the OIDC provider. The source code can be found on GitHub.

Learning objectives

You will learn the following throughout the article:

How to add user login, sign-up, and logout to Next.js Applications.
How to create a middleware to protect Next.js application pages.

Implementing authentication in a Next.js web app

In the , the Next.js app is integrated with Authgear, and the client library is used for sending authentication requests as an OpenID Connect middleware from the app to Authgear.

Prerequisites

Before you begin, you'll need the following:

A free Authgear account. if you don't have one already.
.
Experience with framework and application development.

Part 1: Configure Authgear

To use Authgear services, you’ll need to have an application set up in the Authgear . This setup allows users in Authgear to sign in to the Next.js application automatically once they are authenticated by Authgear.

Step 1: Configure an application

Every application in Authgear is assigned an alphanumeric, unique client ID that your application code will use to call Authgear APIs through the NextAuth.js Client in the Next.js app. Record the generated Authgear ISSUER (for example, ), CLIENT ID, CLIENT SECRET from the output. You will use these values in the next step for the client app config.

Step 2: Configure Redirect URI

An Authorized Redirect URI of your application is the URL that Authgear will redirect to after the user has authenticated for the OpenID Connect middleware to complete the authentication process. In our case, it will be a home page for our Next.js and it will run at .

Set the following to the Authorized Redirect URIs field. If not set, users will not be returned to your application after they log in.

After you created the Authgear app, you choose how users need to authenticate on the login page. From the Authentication tab, navigate to Login Methods, you can choose a login method from various options including, by email, mobile, or social, just using a username or the custom method you specify. For this demo, we choose the Email+Passwordless approach where our users are asked to register an account and log in by using their emails. They will receive a One-time password (OTP) to their emails and verify the code to use the app.

Part 2: Create the Next.js application

You have two options here. You can either clone a or build the app from scratch.

Clone the demo repository

If you want to run an already working application, you can clone the demo project from this using the following command.

Since you've cloned a working repo, you don't need to follow the next section. If you'd like to understand more about what was done in the demo application, feel free to read them.

Either way, continue configuring the to proceed with this tutorial.

Step 1: Create your own Next.js application

If you want to create your own application instead of using our demo project, you can create a new Next.js application by running the command below.

The create-next-app wizard will ask you a few questions on how to set up your application. Answer them accordingly.

Step 2: Installing NextAuth.js

Now that you have the application running, let's implement the authentication process by using . We recommend you look also at the for the most up-to-date instructions. First, install NextAuth.js:

Now, you need to create a file named exactly like [...nextauth].js in src/pages/api/auth. First, make the directory and then create a file named [...nextauth].js in that directory.

Next, you'll configure a for Authgear. Doing so ensures every request to the /api/auth/* path is handled by NextAuth.js.

In the following code, we made a few config:

We've added as the scope to make Authgear return all user profiles
We have made id and name in the Next Auth session (under callbacks). You can also add other attributes such as email, phone_number, and preferred_username to the session as well.

Step 3: Exposing session state

To allow components to check whether the current user is logged in, change src/pages/_app.js to have your application rendered inside a <SessionProvider> context, as shown below.

This will make the React Hook accessible to your entire application. Now, create a component that will either render a "Log in" or "Log out" button, depending on the session state, in a src/components/login-button.jsx file.

Then, you change your home component located at src/pages/index.js to include the <LoginButton /> component inside <main>.

Step 4: Set environment variables

In the root directory of your project, add the file .env.local with the following environment variables:

replace with Authgear app settings values from Part1 such as Issuer, ClientId, ClientSecret.

Step 5: Testing

Start the HTTP server by running the following command.

Browse to . If the installation went successful, you should see the Login page.

Click the "Log in" button to be taken to a page with a "Sign in with Authgear" button.

After clicking it, you should be redirected to your Authgear login screen.

Your users can sign-up and login to your application through a page hosted by Authgear, which provides them with a secure, standards-based login experience that you can customize with your own branding and various authentication methods, such as , , , with SMS/WhatsApp, and multi-factor authentication (MFA).

After you have authenticated with a one-time password sent to your email, you'll arrive back at your Next.js application home screen, with your email address displayed and a "Log out" button.

Next steps

This tutorial showed how to quickly implement an end-to-end OpenID Connect flow in Next.js with Authgear. Only simple code is needed, after which protected views are secured with built-in UI login pages.

React

Follow this quickstart tutorial to add authentication to your React application

Authgear helps you add user logins to your React apps. It provides a pre-built login page and user settings page that can accelerate your development process.

Follow this 🕐 15-minute tutorial to create a simple app using React with the Authgear SDK.

Check out and clone the Sample Project on GitHub.

Setup Application in Authgear

To use Authgear's features, you'll need an account and a Project. Sign up for a free account at and create a new Project to get started.

After that, we will need to create an Application in the Project Portal.

Create an application in the Portal

To create a client application, go to Applications on the left menu bar in the Authgear Portal.

Next, click ⊕Add Application in the top toolbar.

Enter the name of your application, e.g. "MyAwesomeApp", then select Single Page Application as the Application Type. Click the Save button to create the application.

Configure Authorize Redirect URI

The Authorized Redirect URI is a URL in you application where the user will be redirected to after login with Authgear. In this path, make a finish authentication call to complete the login process.

Go to the URI section of the Authgear client application you just created and add a new Authorized Redirect URI. For this tutorial, add http://localhost:4000/auth-redirect to Authorize Redirect URIs.

Click Save to keep all client app configuration changes before proceeding to the next steps.

Add Authgear to React App

In this section, we'll create a simple React application and connect it to Authgear such that, users of the app will log in, view their user settings, and log out of their account.

Step 1: Create a simple React project

Here are some recommended steps to scaffold a React project. You can skip this part if you are adding Authgear to an existing project. See in the next section.

Create a new React project using Vite

Run the following command from your preferred folder to create a new React project with Vite:

Next, run the following commands to open the new project directory and install the dependencies:

Change port

In the package.json file, update the value of dev field in the script.dev section to:

This will enable the npm run dev command run the app in development mode on port 4000.

The file structure in your project should look like this now:

Run npm run dev now to run the project and you will see the default "Vite + React" page when you open http://localhost:4000 on a web browser.

Step 2: Install Authgear SDK to the project

Run the following command within your React project directory to install the Authgear Web SDK

In src/main.tsx , import authgear and call the configure function to initialize an Authgear instance on application loads.

The Authgear container instance takes endpoint and clientID as parameters. They can be obtained from the configuration page for the application created in . Create a .env file in the root directory of your project and add your Authgear client application configuration using the following fields:

It is recommended to render the app after configure() resolves. So by the time the app is rendered, Authgear is ready to use.

Run npm run dev now and you should see the default page again and no error message in the console if Authgear SDK is configured successfully

Step 3: Implement the Context Provider

Since we want to reference the logged-in state everywhere in the app, let's put the state in a context provider with UserProvider.tsx in the /src/context folder.

The UserProvider.tsx file will have an isLoggedIn boolean and a setIsLoggedIn function. The isLoggedIn boolean state can be auto-updated using the onSessionStateChange callback. This callback can be stored in delegate which is in the local SDK container.

Step 4: Implement the Auth Redirect

Next, we will add an "AuthRedirect" page for handling the authentication result after the user has been authenticated by Authgear.

First, install react-router-dom using the following command:

Create the AuthRedirect.tsx component file in the src/ folder.

Call the Authgear finishAuthentication() function in the Auth Redirect component to send a token back to Authgear server in exchange for an access token and a refresh token. Don't worry about the technical jargons, finishAuthentication() will do all the hard work for you and save the authentication data.

When the authentication is finished, the isLoggedIn state from the UserContextProvider will be automatically set to true. Finally, navigate back to root (/) which is our Home page.

The final AuthRedirect.tsx will look like this

Since in React 18, useEffect will be fired twice in development mode, we need to implement a to stop it from firing twice. We will use an useRef Hook to stop the user token from being sent twice to the Authgear Endpoint.

Without a cleanup function, anuseEffectHook will be fired twice and hence finishAuthentication() will send the token back to Authgear Endpoint for two times, which the second one will result in "Invalid Token" error since the token can only be used once.

Step 5: Add Routes and Context Provider to the App

Now, we will add a "Home" page. Create a Home.tsx component file the src/ folder.

Then import Home and AuthRedirect as routes. And Import UserContextProvider and wrap the routes with it.

Your final App.tsx should look like this:

The file structure should now look like

First, we will import the Authgear dependency and the React Hook that we will use to Home.tsx. Then add the login button which will call startAuthentication(ConfigureOptions) through the startLogin on click callback. This will redirect the user to the login page.

You can now run npm run dev and you will be redirected to the Authgear Login page when you click the Login button.

Step 7: Show the user information

The Authgear SDK helps you get the information of the logged-in users easily.

In the last step, the user is successfully logged in, so let's try to print the user ID (sub) of the user on the Home page.

In Home.tsx, we will add a simple loading splash and a greeting message printing the Sub ID. We will add two conditional elements such that they are only shown when user is logged in. We can also change the login button to show only if the user is not logged in.

Make use of isLoggedIn from the UserContext to control the components on the page. Fetch the user info by fetchInfo() and access its sub property.

Run the app again, the User ID (sub) of the user should be printed on the Home page.

Step 8: Add a Logout button

Now, let's add a Logout button that is displayed when the user is logged in.

In Home.tsx, we will use conditional elements to show a Logout button only for a user that is currently logged in.

Find the following line in Home.tsx:

Add the following code on a new line just after the above line:

Then, add the logout callback:

Run the app again, we can now log out by clicking the Logout button.

Step 9: Open User Settings

Authgear provides a built-in UI for the users to set their attributes and change security settings.

Use the openURL function to open the settings page at <your_app_endpoint>/settings

In Home.tsx Add a conditional link to the existing elements.

And add the userSetting callback:

This is the resulting Home.tsx:

Next steps, Calling an API

To access restricted resources on your backend application server, the HTTP requests should include the access token in their Authorization headers. The Web SDK provides a fetch function which automatically handles this, or you can get the token with authgear.accessToken.

Option 1: Using fetch function provided by Authgear SDK

Authgear SDK provides the fetch function for you to call your application server. This fetch function will include the Authorization header in your application request, and handle the process of refreshing an access token automatically. The authgear.fetch implements .

Option 2: Add the access token to the HTTP request header

You can get the access token through authgear.accessToken. Call refreshAccessTokenIfNeeded every time before using the access token, the function will check and make the network call to refresh the access token only if it is expired. Include the access token into the Authorization header of the application requests.

JavaScript (Web)

Integrate Authgear to your website with the Web SDK

In this guide, you'll learn how to integrate Authgear into your website using the Token Approach. In the token approach, the Authgear server returns an access token and a refresh token to your SPA application after successful user authentication.

Your application can send the access token in subsequent HTTP requests to access protected resources.

Follow this guide to add Authgear SDK to any web application in under 🕐 10 minutes.

See and clone the full code for the demo app for this tutorial in the Github Repo here.

This guide uses the Authgear Web SDK for integrating Authgear with a SPA Web app. Supported browsers include:

Last 2 Firefox major versions
Last 2 Chrome major versions
Last 2 Edge major versions
Last 3 Safari major versions

Setup Application in Authgear

Signup for an Authgear Portal account in . Or you can use your self-deployed Authgear.

From the Project listing, create a new Project or select an existing Project. After that, we will need to create an application in the project.

Step 1: Create an application in the Portal

Go to Applications on the left menu bar.

Click ⊕Add Application in the top toolbar.

Input the name of your application and select the application type Single Page Application. Click the Save button to proceed.

On the next screen you will see a list of tutorials for different frameworks, click on Next to skip to your client application configuration page.

Step 2: Configure the application

First, decide the paths in your website that users will be redirected to after they have authenticated with Authgear.

To run the demo app in this tutorial offline, scroll to the URIs section of your client application page add the following URI:

Under Authorized Redirect URIs add http://localhost:3000/

Note that the trailing "/" in the above URLs must be included.

Click on the Save button to keep your changes.

Add Authgear to any web page using JavaScript

In this section, we'll create a simple web page and use the Authgear Web JavaScript SDK to add user authentication to the page.

Step 1: Create a Basic Single Page Web Application

For this guide, we'll create a basic web application with only one page. Follow these steps to set up the application. First, create a new directory on your computer for the project. You can do this in a terminal using the following commands:

Step 2: Create Web Server

We'll create an Express.js server in the web project directory so that we can access the HTML page in a web browser using http://localhost:3000. Run the following commands from the root of your web project directory to install Express.

First, generate a package.json file in your project directory:

Install the Express npm package:

Install Nodemon (used for adding hot road to JavaScript development):

Now create a server.js file in the root folder of your project. Add the following code to server.js:

Next, open the package.json in your project directory and add the following lines in the script section:

Note that the above you may use your preferred tool/environment to serve the HTML file and skip the step of creating an Express server.

Step 3: Create Web Page

Create a new file called index.html in the root of your project directory. Add the following code to the file:

The content index.html is a simple web page that contains some text, a Log in button, and a Log out button. In later steps, we will implement the onclick events for both steps such that each calls the correct function from the Authgear Web JavaScript SDK.

Step 4: Install Authgear Web JavaScript SDK

CDN

The Web JS SDK is available on a CDN that you can include in any webpage using the following script tag:

The Web JS SDK is also available as . That can be installed using any of the following commands:

NPM

Yarn

We recommend that you use the npm package to add Authgear to your web application when you're using build tools like Vite and Webpack, and when building with frameworks like React, Vue, Angular, etc.

The easiest way to add a JavaScript library such as the Authgear SDK to a generic Single Page Application (a basic .html file page), is to use a CDN. Hence, we'll use the CDN method to add the Authgear Web JavaScript SDK to our demo application for this tutorial.

To install the Authgear SDK, add the Authgear SDK CDN <script> tag to index.html on a new line just before the </body> . Your index.html should look like this at this point:

With that, we have added the Authgear SDK to a basic HTML page and we are ready to start making calls to its functions.

Checkpoint

At this point, the structure of your project folder should look like this:

To test your progress so far save your files then run the npm run dev command. Next open localhost:3000 on your preferred web browser and you should see a page that looks like this:

Step 5: Initialize Authgear SDK

Create a new public/js directory in the root of your project directory.

Create a new file called app.js in the public/js directory. Add the following content to app.js:

In app.js, the configureClient() function gets an instance of the Authgear Web SDK (authgearClient) and then calls the configure() function of the SDK to initialize Authgear.

You can find value for clientID and endpoint from your Authgear client application configuration page.

Finally, link app.js in index.html using <script src="js/app.js"></script> just above the line with the Authgear CDN <script> tag as shown below:

Step 6: Start the authentication flow

When the user clicks login/signup on your website, make a start authorization call to redirect them to the login/signup page (AuthUI).

In this step, we'll implement the login() function that is called when the Log in button is pressed.

Update app.js by adding the following code after the declaration of the configureClient() function:

Make sure you have added http://localhost:3000/ as an Authorized Redirect URI in the portal for your Authgear client application. Note that the last "/" in the URL is required.

Step 7: Handling auth result in the redirectURI

After the user authenticates on the login page, the user will be redirected to the redirectURI with a code parameter in the URL query. In the redirectURI of your application, make a finish authorization call to handle the authentication result. This will attempt to exchange the code for the access token and user info.

Once authorization succeeds, the application should be able to display user info and access protected resources.

To handle the redirect after authentication, we'll call the Authgear SDK's finishAuthentication() function when there's a code parameter in the URL of the current page. To do that, update the window.onload callback in app.js to the following:

The updateUI() function will update the state of the webpage when the user's logged-in state changes. Add the following code to the end of app.js to implement updateUI:

The complete content of app.js at the end of this step should look like this:

Checkpoint

At this point, your file structure should look like this:

Save all changes in your code, and rerun your app on a web browser. This time, clicking on the Log in button should redirect you to your Authgear project's user login page (AuthUI).

Step 8: Open User Settings Page

To add a User Settings button to your app, add the following tag to your index.html just below the Logout button:

Next, add the following code to app.js: just below the logout() function:

Finally, add the following line to the end of your updateUI() function so that the User Settings button is displayed when the user is authenticated:

Save your work and run your app again. When you click on the User Settings button, your web app should open the pre-built User Settings page.

Step 9: Additional Actions

Get the Logged In State

When you start launching the application. You may want to know if the user has logged in. (e.g. Redirect users to log in if they haven't logged in). The sessionState reflects the user logged-in state in the SDK local state. That means even thesessionState is AUTHENTICATED, the session may be invalid if it is revoked remotely. After initializing the Authgear SDK, call fetchUserInfo to update the sessionState as soon as it is proper to do so.

The value of sessionState can be UNKNOWN, NO_SESSION or AUTHENTICATED. Initially the sessionState is UNKNOWN. After a call to authgearClient.configure, the session state would become AUTHENTICATED if a previous session was found, or NO_SESSION if such session was not found.

Fetching User Info

In some cases, you may need to obtain current user info through the SDK. (e.g. Display email address in the UI). Use the fetchUserInfo function to obtain the user info.

See more user info .

Log the user out

Use the logout function to log out the user. The user will be redirected to your Authgear endpoint to log out their session. You should provide the redirectURI for the user to return to your app.

Calling an API

Once you have logged-in user, you can start making authenticated requests to backend APIs as described below.

Token-based authentication

There are two ways to include the access token in the HTTP requests to your application server.

Option 1: Using fetch function provided by Authgear SDK

Authgear SDK provides the fetch function for you to call your application server. This fetch function will include the Authorization header in your application request, and handle refresh access token automatically. The authgearClient.fetch implements .

Option 2: Add the access token to the HTTP request header

You can get the access token through authgearClient.accessToken. Call refreshAccessTokenIfNeeded every time before using the access token, the function will check and make the network call to refresh the access token only if it is expired. Include the access token in the Authorization header of the application request.

Next steps

To protect your application server from unauthorized access. You will need to .

JavaScript SDK Reference

For detailed documentation on the JavaScript Web SDK, visit

Flutter SDK

How to integrate with a Flutter app

This guide provides instructions on integrating Authgear with a Flutter app. Supported platforms include:

Flutter 2.5.0 or higher
Android minimum SDK 30 (Android 11 or later)

Follow this guide to add Authgear to your Flutter app in 🕐 10 minutes.

You can find the full code for the demo app for this tutorial in the Github repo .

Setup Application in Authgear

Signup for an Authgear Portal account in . Or you can use your self-deployed Authgear.

From the Project listing, create a new Project or select an existing Project. After that, we will need to create an application in the project.

Step 1: Create an application in the Portal

Go to Applications on the left menu bar.

You will see the "New Application" page or Click ⊕Add Application in the top tool bar.

Input the name of your application and select Native App as the application type. Click "Save".

You will see a list of guides that can help you for setting up, then click "Next".

Step 2: Configure the application

In your IDE, define a custom URI scheme that Authgear will use to redirect users back to your app after they have authenticated , For your demo application for this guide, the URI scheme will be: com.example.authgeardemo.flutter://host/path. To learn more about setting up URI Scheme in flutter, visit .

Head back to Authgear Portal, fill in the Redirect URI that you have defined in the previous step.

Click "Save" and note the Client ID. and Endpoint. You can also obtain them from the Applications list later.

Add User Authentication to Flutter App using Authgear SDK

In this part of the guide, we'll add user Authentication to a simple demo app using the Authgear Flutter SDK.

The demo app will have a login button that users can click to initiate the authentication flow. It will also include a group of widgets for greeting logged-in users, opening the user settings page, and logout.

Step 1: Create Flutter App

If you're new to Flutter, follow the official to see how you can install Flutter on your computer.

Run the following command to create a new Flutter project:

Step 2: Install Authgear SDK

Run the following command from the root directory of your Flutter project to install the Authgear SDK:

Step 3: Initialize Authgear

First, import Authgear at the top of lib/main.dart:

Next, create a field variable _authgear of type Authgear and an _init() method in your page's State class:

Note: The State Class is the class associated with a stateful page (widget). For example, the following show part of the State class for our demo app after adding the _authgear field and an _init() method:

Replace "<AUTHGEAR_ENDPOINT>" and "<ClIENT_ID>" with the client ID and endpoint for the client application you created earlier.

Finally, override the initState() method for your State class to call your new _init() method. This will initiate a new instance of the Authgear SDK that you'll use to perform operations like starting an authentication flow.

In this step, we'll add a login button and other UI widgets to our demo application.

To do that, first, add a _userInfo field variable to the State class:

Our demo app will use the value of the _userInfo variable to determine when to show a login button or the group of widgets for logged-in users.

Next, replace the widget in body attribute of Scaffold with the following:

Now implement the loggedInUserScreen() custom widget like this within the State class:

In the next step, we'll implement the _onPressedAuthenticate() method.

Step 5: Start Authentication Flow

Here we will implement the _onPressedAuthenticate() method that will be called when a user clicks on the Login button.

Add the following method in the State class:

The above code calls the authenticate() method of the Authgear SDK. This will start a new authentication flow. Replace the value for the redirectURI argument with the redirect URI you registered in your client application.

Create empty _onPressedSettings() and _onPressedLogout() methods in your State class for now so that you can build application:

At this point, the full code for main.dart should look like this:

Checkpoint

At this point, you can save your work and run the following command to test your app on a mobile device or emulator:

When your app runs, you should see the Login button, clicking on it should start a new Authentication. However, you may not be able to complete authentication because we're yet to configure our app to handle redirect from Authgear.

Step 6: Setup redirect URI for your app

To finish the integration, setup the app to handle the redirectURI specified in the application. This part requires platform specific integration.

Here you declare the URL schemes supported by your app, so the device can redirect the user to the app after authentication using the redirect URI.

Android

Add the following <activity> entry to the /android/app/src/main/AndroidManifest.xml of your app. The intent system would dispatch the redirect URI to OAuthRedirectActivity and the SDK would handle the rest.

You also need to add a queries section to AndroidManifest.xml.

Remove the following line from AndroidManifest.xml because this setting conflicts with the SDK:

Next, open /android/app/build.gradle and set minSdk to 30:

To learn more about why minSdk is set to 30, see

iOS

Declare URL Handling in Info.plist

In the Info.plist in your project's ios folder, add the matching redirect URI by adding the key CFBundleURLTypes and the values inside <dict> as shown as the following example.

Now if you run your app again, you should be able to login, be redirected back to your app and view the group of widgets that's for logged-in users.

Step 7: Logout

To log out the user from the current app session, you need to invoke thelogout method of the SDK.

Update the empty _onPressedLogout you added earlier so that it calls the logout method.

Step 8: Open User Settings Page

Authgear provides a pre-built user settings page from which your users can view and edit their profile details, and change security settings like password, and 2FA.

The SDK includes a method that you can use to easily open this user settings page.

Update the empty _onPressedSettings method you added earlier so it initiates the process of opening the user settings page.

Step 9: Show User Info

At this point, our application already shows the current user's info (their unique ID, sub). However, the Authgear SDK includes a getUserInfo() method that you can call explicitly to get an object that contains the current user's information like their email, phone number, name, etc.

Calling this getUserInfo() method can also refresh the current user's access token to make sure that their session state is really authenticated, that is, an logged-in user is not using an expired access token.

Update your _init() method to check the user's logged-in state and fetch their user info when the state is SessionState.authenticated.

Additional Actions

Get the Logged In State

When you start launching the application. You may want to know if the user has logged in. (e.g. Show users the login page if they haven't logged in). The sessionState reflects the user logged in state in the SDK local state. That means even the sessionState is SessionState.authenticated, the session may be invalid if it is revoked remotely. After initializing the Authgear SDK, call fetchUserInfo to update the sessionState as soon as it is proper to do so.

The value of sessionState can be SessionState.unknown, SessionState.noSession or SessionState.authenticated. Initially, the sessionState is SessionState.unknown. After a call to authgear.configure, the session state would become SessionState.authenticated if a previous session was found, or SessionState.noSession if such session was not found.

Using the Access Token in HTTP Requests

To include the access token to the HTTP requests to your application server, use wrapHttpClient.

The wrapped client will include the Authorization header in every HTTP request, and refresh access token automatically.

Next steps

To protect your application server from unauthorized access. You will need to integrate your backend with Authgear.

Flutter SDK Reference

For detailed documentation on the Flutter SDK, visit

React Native SDK

How to integrate with a React Native app

This guide provides instructions on integrating Authgear with a React Native app. Supported platforms include:

React Native 0.60.0 or higher

Follow this guide to add Authgear to your React Native app in 🕐 10 minutes.

You can find the full code for the demo app for this tutorial in the Github repo here.

React Native have opt-in support for the since 0.68. Given that the New Architecture is still considered as unstable, we do not support it at the moment.

Video Guide for React Native

Setup Application in Authgear

Signup for an Authgear Portal account in . Or you can use your self-deployed Authgear.

From the Project listing, create a new Project or select an existing Project. After that, we will need to create an application in the project.

Step 1: Create an application in Authgear Portal

Go to Applications on the left menu bar.

You'll see the "New Application" page, or Click ⊕Add Application in the top tool bar.

Input the name of your application and select Native App as the application type. Click "Save".

On the next screen, you will see a list of guides that can help you with setting up, click "Next" to continue.

Step 2: Configure the application

In your IDE, define a custom URI scheme that will be used to redirect users back to your app after they have authenticated with Authgear. For example, in our example app, we will define the following URI scheme:

For further instruction on setting up custom URI scheme in React Native, see

Now head back to Authgear Portal, and add the URI that you have defined (com.authgear.example.rn://host/path for this example) as an Authorized Redirect URI.

Click "Save" and note the Client ID and Endpoint for your Authgear client application. You can also obtain it again from the Applications list later.

Add User Authentication to React Native App using Authgear SDK

In this section, we'll walk through the steps to create a new React Native app and use the Authgear SDK to add user authentication to the app.

Step 1: Create a React Native app

Run the following command to create a new React Native project:

For a more detailed guide on how to create a project and set up a development environment for React Native, follow the .

Step 2: Install the SDK

Run the following commands from the root directory of your React Native project to install the Authgear SDK:

Step 3: Initialize Authgear

In this step, we'll implement the code to initialize an instance of the Authgear SDK which we will be using to interact with the Authgear client application we created earlier.

First, open the App.tsx file in your project then add the following import statements at the top:

Add the following code at the top inside the App() function in App.tsx to configure a new Authgear instance and set up a delegate that will help our app to know the current state of a user's session (whether they're logged in or not):

Replace <CLIENT_ID> and <AUTHGEAR_ENDPOINT> with the Client ID and Endpoint for your Authgear client application.

The above code includes a postConfigure() method that helps to get the true session state for a user that was previously logged in.

Replace the content for the return statement in the App() function inside the App.tsx file with the following:

Import the necessary components at the top App.tsx:

Step 5: Start Authentication Flow

In this step, you will implement an authenticate() method that calls the authenticate() method of the Authgear SDK. The Login button we added in the previous step calls this authenticate() method to start an authentication flow.

Add the following code to the App() function just after the useEffect() for the configure() method in step 3:

Checkpoint

At this point the complete code in your App.tsx should look like this:

Now save your work and try running your app on Android or iOS using any of the following commands:

Android

iOS

When your app opens, if you click on the Login button, you should be redirected to the Authentication UI. However, you can't complete authentication because we are yet to handle the redirect URI.

Step 6: Setup Redirect URI

To finish the integration, set up the app to handle the redirect URI specified in your Authgear client application. This part requires platform-specific integration.

Android

Add the following activity entry to the android/app/src/main/AndroidManifest.xml of your React Native project. The intent system would dispatch the redirect URI to OAuthRedirectActivity and the sdk would handle the rest.

You also need to add a queries section to AndroidManifest.xml.

iOS

Declare URL Handling in Info.plist

In ios/<your_project>/Info.plist, add the matching redirect URI.

Optional: Handle deep links for WeChat Login

Skip this part if you don't need support for "Login with WeChat".

Alternatively, use any popular deep-linking library then implement code to forward the deep link to our SDK in the JavaScript side for your React Native app.

To handle WeChat deep links, in AppDelegate.m, add the following code snippet:

Step 7: Logout

Now let's add a Logout feature to our example app so users can logout and end their session.

We'll add a Logout button and implement a logout() method that calls the corresponding logout() method of the Authgear SDK:

Add a logout() method to your App() function after the authenticate() method you added earlier:

Next, add the Logout button and call the logout() method from onPress. Add the button to the return statement for App() just below <Text style={{paddingTop: 50, paddingBottom: 16}}> Welcome User</Text> :

Save your code and run the app. Click the Logout button and the user should be logged out.

Step 8: Show User Info

The Authgear SDK includes a fetchUserInfo() method that returns details such as user ID, email, phone number, etc about the current user.

In this step, we'll add a Show User Info button to our app. This button will call the fetchUserInfo() to demonstrate how the method works.

Add a showUserInfo() method to your App() function just below the logout() method:

The showUserInfo() method calls the fetchUserInfo() method of the Authgear SDK and displays the data returned in an Alert.

Next, add the Show User Info button to the return statement of App() just below the Logout button from the previous step:

Step 9: Open User Settings Page

Authgear offers a pre-built User Settings page for users of your application to view and modify their profile and security details.

In this step, we'll use the open() method in the Authgear SDK to open this User Settings page when a logged-in user clicks on a button.

Add an openSettings() method to your App() function just below the showUserInfo() from the previous step:

Next, add a User Settings button to the return statement of App() just below the Show User Info button:

Now run your app and you should be able to access the User Settings page when you click on the User Settings button.

Additional Actions

Get the Logged-In State

When you start launching the application. You may want to know if the user has logged in. (e.g. Show users the login page if they haven't logged in).

The sessionState reflects the user logged-in state in the SDK local state. That means even if the sessionState is AUTHENTICATED, the session may be invalid if it is revoked remotely. Hence, after initializing the Authgear SDK, call fetchUserInfo to update the sessionState as soon as it is proper to do so. We demonstrated this in our example app using the postConfigure() method.

The value of sessionState can be UNKNOWN, NO_SESSION or AUTHENTICATED. Initially, the sessionState is UNKNOWN. After a call to authgear.configure(), the session state would become AUTHENTICATED if a previous session was found, or NO_SESSION if such session was not found.

Using the Access Token in HTTP Requests

To include the access token in the HTTP requests to your application server, there are two ways to achieve this.

Option 1: Using fetch function provided by Authgear SDK

Authgear SDK provides the fetch function for you to call your application server. The fetch function will include the Authorization header in your application request, and handle refresh access token automatically. authgear.fetch implement .

Option 2: Add the access token to your HTTP

You can access the access token through authgear.accessToken. Call refreshAccessTokenIfNeeded() every time before using the access token. The refreshAccessTokenIfNeeded() function will check and make the network call to refresh the access token only if it has expired.

Include the access token in the Authorization header of your application request.

Next steps

To protect your application server from unauthorized access. You will need to .

JavaScript SDK Reference

For detailed documentation on the JavaScript React Native SDK, visit

Laravel

Authentication for Laravel websites with Authgear and OAuth2

In this guide, you'll learn how to add user authentication to a Laravel app using Authgear as an OIDC provider.

Authgear supports multiple ways to allow users to log in to apps such as passwordless sign-in, phone OTP, and 2FA. In this post, we'll show you how to enable all these options in your Laravel app without worrying about the underlying logic.

What You Will Learn

How to create an Authgear Application.
How to request OAuth 2.0 authorization code from Authgear.
How to get user info from Authgear using OAuth 2.0 access code.
Link user info from Authgear with Laravel's default Breeze authentication.

Prerequisites

To follow along with the example, you should have the following in place:

A free Authgear account. if you don't have an account yet.
A Laravel project.

What We Will Build

The example app we'll build in this post uses the default Laravel Breeze authentication kit. This kit provides the starter code for email and password user authentication systems.

We will be using Authgear to handle and process authentication data instead of the default Breeze database. By doing so, we get all the benefits of Authgear including more security and flexibility.

How to Add User Authentication to Laravel with Authgear as an OAuth Provider

In this section, we'll walk through the complete steps for building the example app.

Step 1: Configure Authgear Application

Before we can use Authgear as an OAuth identity provider, we need to set up an application on the Authgear portal.

To do that, log in to Authgear then select a project. Next, navigate to the Applications section for your project. Create a new application or configure an existing one with OIDC Client Application as Application Type as shown below:

Once you're done, click on Save to go to the application configuration page. This page reveals the application credentials and OAuth 2.0 endpoints.

Note down details like the Client ID, Client Secret, and the endpoints as you'll use them later in your Laravel project.

Step 2: Add a Redirect URI

While you're still on the application configuration page, scroll down to the URL section then click on Add URI. Enter localhost:8000/oauth/callback in the text field if you will be running your Laravel app on your local machine. Once you're done, click Save.

The redirect URI we provided above should be a valid page on our Laravel app as Authgear will redirect users to the page after authorization.

Step 3: Create a Laravel Project

Now create a new Laravel project on your computer by running the following command:

Once your project is created, open the project folder in your preferred code editor and replace the content of resources/views/welcome.blade.php with the following code:

Alternatively, you can create a new index.blade.php file in the resources folder and add the above code inside it. Then, update the web.php route file to render the new file instead of welcome.blade.php.

Next, run the php artisan serve command in the terminal to test your application. At this point, your application should look like the following screenshot when you access localhost:8000 on a browser:

Step 4: Install Laravel Breeze

Breeze is the official user authentication starter kit for Laravel. What that means is that Breeze helps you set up the database, routes, controller, and user interface for a user registration and user login system.

To install Breeze on your Laravel project, run the following command:

After that, run the following command to enable Breeze to set up all the resources for the user authentication system in your project:

During the setup, select blade as the stack and leave the other options as default.

Once the setup is complete, navigate around your project file structure and you should notice some new folders and files related to authentication were added. Some of these new folders/files include an Auth sub-folder in the controllers folder, another auth sub-folder inside the views folder, and some database migration files.

Before we continue, let's add an extra oauth_uid field to the users table migration file. This field will store a user's unique ID from Authgear after successful login.

Open the create_users_table... file that is inside the database/migrations/ folder (this file will have a date value at the end of its name) and add the following code to a new line inside the Schema::create() method:

Add the MySQL database DB_DATABASE, DB_USERNAME, and DB_PASSWORD for the database you wish to use with your Laravel project in your Laravel project's .env file.

Finally, create the users and other tables by running the following command:

Step 5: Send OAuth User Authorization Request

In this step, we'll create a new route that will handle the task of redirecting users from our app to Authgear's OAuth authorization page where they can grant our app authorization to their data on Authgear. If you've used other OAuth 2.0 providers before, for example, signing in to a website using Google OAuth, you may already be familiar with an authorization page.

First, create a new controller that will handle all OAuth operations in our Laravel app by running the following command:

Before we start implementing the logic for our new controller, we need to install a PHP OAuth 2.0 client package. This package will simplify the process of interacting with Authgear's OAuth endpoints. Run the following commands to install the package:

Now, back to implementing the controller; open the new OAuthController file (from the app/Http/Controllers folder) and add the following code to it:

Next, add your Authgear Application's Client ID, Client Secret, and the redirect URI you specified earlier to your Laravel project's .env file using the following keys:

Note: Your Authgear project URL is the hostname of any of your endpoint URLs. For example, the project URL for a project with an authorization endpoint: https://laravel-app.authgear.cloud/oauth2/authorize will be https://laravel-app.authgear.cloud.

Now let's create a route in our Laravel project that will call the startAuthorization() method.

Open the routes/web.php file and add new routes using the following code:

We've included a second route for the redirect URI (callback), we'll implement this route in the next step.

Before we continue, let's clean up some of the additional routes added by the Breeze package that we won't be needing for this example. Open the routes/auth.php file and delete the following lines:

At this point accessing the /login route should redirect to the Authgear authorization page.

Step 6: Implement Redirect URI Page

Update the empty handleRedirect() method in OAuthController to the following:

The above code gets the authorization code sent in the redirect URL from Authgear after user authorization and exchanges it for an access token. With this access token, our application can access protected resources like the user info endpoint.

Step 7: Link User Info to Laravel User Authentication

In this step, we'll use the access token we got from the last step to get the current user's info from Authgear.

First, add the following code at the end of the handleRedirect() method:

The getResourceOwner() method will call Authgear's UserInfo endpoint.

If you dump the userInfo variable (dd($userInfo)), you should get an output similar to this:

The above array contains the user's info from Authgear. We'll proceed to use this information to link the Authgear user to a default (Breeze) Laravel authentication account. As a result, our app can start a regular Laravel authenticated user session and allow access to protected routes.

To implement the above feature, find the following line in OAuthController.php:

Add the following code after the above line:

Find the complete code for the OAuthController .

Step 8: Using Refresh Token

OAuth 2.0 access tokens expire after some time. The refresh token on the other hand live longer. As a result, you can use the refresh token to request a new access token. In this step, we'll do exactly that in our Laravel application.

First, app/Http/Controllers/ProfileController.php and update the content of the edit() method to the following:

The above code checks if the current access token is expired using the hasExpired() method. If the condition is true, we call the getAccessToken() method with the refresh token to get a new access token.

The value of the current access token is updated to the new access token.

Next, this edit() method also displays the current user's profile details from your Authgear project on the UI. To implement this, add the following code to resources/views/profile/edit.blade.php, just below the line with "<div class="max-w-7xl mx-auto sm:px-6 lg:px-8 space-y-6">":

At this point, if we run our app and click on the login link on the landing page, we should be redirected to the Authgear authorization page. After granting authorization, we are directed to the callback route of our Laravel app. If authentication is successful we should be redirected to the default Breeze-protected dashboard page that looks like this:

Step 9: Logout

To log a user out, we'll delete all existing PHP session data and then call the Authgear token revoke endpoint.

First, add a new logout function to the OAuthController.php file using the following code:

Then, open routes/web.php and update the logout route to the following:

What's Next

You should try enabling the different login methods on Authgear from the Portal to enjoy features like 2FA, passwordless login, and more without updating anything on the code for your app.

Find the complete code for the example app in our .

Ionic SDK

Guide on how to use Authgear in an Ionic project

In this post, you'll learn how to use Authgear with your Ionic project using the Authgear Ionic SDK.

You can find the full code for the demo app for this tutorial in this Github repo

The following are the minimum versions of Android and iOS your native app can target based on the requirement of Capacitor v7:

iOS 14
Android 6 (API level 23)

Objectives (What we'll build)

At the end of this tutorial, we'll build an Ionic app that can do the following:

Allow users to log in to their account on your Authgear project
Allow new users to sign up
Allow signed-in users to view their user info and logout.

The final UI for the app we'll build should look like this:

Prerequisites

To follow this guide seamlessly, make sure to have the following:

Node.js installed on your local machine
Android Studio (for building the Android client of your application)
Xcode (for building the iOS client of your application)
An Authgear account. You can sign up for one for free .

Follow this guide to add Authgear to your Ionic app in 🕐 10 minutes.

Setup Application in Authgear Portal

In this part, you'll learn how to configure an Authgear client application that you will use in your Ionic project. You'll do this by performing the following steps in the Authgear Portal.

Step 1: Set up an Authgear Application

First, log in to Authgear Portal at and select an existing project or create a new one.

In your project, navigate to the Applications section then click on Add Application to create a new Authgear application. Enter a name for your application and select Native App as the Application Type. Next, click Save to continue to the configuration page for your new application. Skip the screen that shows you a list of tutorials for different frameworks.

Step 2: Add Authorized Redirect URIs

In this step, you'll set up authorized redirect URIs for your application. An authorized redirect URI should be a URI pointing to a page on your Ionic app where you want to redirect users at the end of the authorization flow.

To add a URI, scroll to the URIs section of your application configuration page and enter the URI in the text field. You can click the Add URI button to add additional URIs.

For our example app, add the following URIs:

com.authgear.example.capacitor://host/path
capacitor://localhost
http://localhost:8100/oauth-redirect

Once you're done, click on the Save button.

Add Authgear to an Ionic App

Now that you have your Authgear application configured, we can proceed with creating the Ionic application that will have all the features stated in our objective earlier.

For this tutorial, we'll be implementing an Ionic app using React.

Step 1: Create Ionic Project

Before you can create an Ionic project, install the Ionic CLI on your computer by running the following command in Terminal or Command Prompt:

Now create a new Ionic project by running the following command:

After running the above command, follow the wizard to create a new blank project.

Next, open your new project in a code editor and update for appId in capacitor.config.ts to the following value:

This new value for appId is the same value we used in the authorized redirect URI earlier.

Note: It is important that you update the value for appId before you create the Android and iOS projects for your Ionic application. Doing this will enable Capacitor to create your Android and iOS project with the value for appId as the package name and app ID.

Run the following command from the root directory of your new Ionic project to preview your blank project on a browser:

Finally, create the Android and iOS projects for your app by running the following commands from your Ionic project's root folder:

First, install the Android and iOS platforms:

Then, create the projects:

Step 2: Install Authgear SDK

In this step, you'll install the Authgear SDK for Ionic (Capacitor) and the Javascript SDK for the web. The web SDK will help you test your application on a web browser.

To install the SDKs, run the following commands in your Terminal or Command Prompt:

Authgear Ionic SDK

Authgear Web SDK

Step 3: Configure Authgear SDK

In this step, you'll learn how to configure your Ionic project using the details from your Authgear application configuration.

To get started, open src/pages/Home.tsx in your code editor then import the Authgear SDK by adding the following code to the top of the file:

The above code imports all the components of the Authgear SDK we need for our example app.

Because Ionic apps can run on the web and native mobile platforms, we had to import both Authgear web and Authgear Capacitor SDKs.

Next, add the following constants to Home.tsx just below the last import statements:

Update the values for the constants (CLIENT_ID, ENDPOINT) to the correct values from your client application's configuration page in the Authgear Portal.

Now, just below the constants, add this small utility function that will help to check whether your Ionic app is running natively or on a web browser:

Import Capacitor by adding the following to the import section at the top of Home.tsx:

You will use the above function to determine which instance of the Authgear SDK to call based on the current platform a user is on.

Now implement a new AuthenticationScreen component in Home.tsx by pasting the following code:

Import useState, useMemo, useEffect and useCallback at the top of Home.tsx:

The above code also implements a sessionState constant and a delegate to let your app know when a user's session state changes.

Next, add the following configure() method to the AuthenticationScreen() component just before the return statement:

The above code configures a new instance of the Authgear SDK using the Client ID and Endpoint for the Authgear client application we created in the first part of this guide.

Next, implement the postConfigure() method that was called in the configure() method:

The postConfigure() method checks if the user is already authenticated and calls the fetchUserInfo() method of the Authgear SDK. Calling the fetchUserInfo() method will refresh the user's access token if it is expired.

Now, call the configure() method in useEffect by adding the following code after the postConfigure() method:

The above useEffect will initialize Authgear on page load.

In this step, we'll add the Login button and the UI components we want to show authenticated users.

Add the following code to the <div> inside the return statement of the AuthenticationScreen component:

Import IonButton by adding it to the import for other Ionic components in our app:

Finally, add the <AuthenticationScreen/> component to the Home component:

Step 5: Start Authentication

Here, we'll implement an authenticate() method inside the AuthenticationScreen component we created in the previous step.

To do this, first, add the following code just before the return statement of the AuthenticationScreen() component:

Calling this authenticate() method will initialize an authentication flow. The page parameter can be used to specify whether to start the authentication flow on the login page or signup page.

Finally, implement a onClickAuthenticate() method that will call authenticate when the Login button is pressed:

Import MouseEvent:

Checkpoint

At this point, the complete code for Home.tsx should look like this:

Save your work and run the command to serve your project on the web or .

You should be able to see the Authentication UI after you click on the Login button. However, you can't complete the authentication flow because we're yet to handle the redirect.

Step 6: Handle Redirect in App

At the end of an authentication flow, your users will be redirected to the URL you specified in redirectURI. In this step, we'll set up the routes and code to process redirects to the URIs.

To handle redirect on web, create a new file OAuthRedirect.tsx in src/pages/ and add the following code to it:

Change the values for CLIENT_ID and ENDPOINT in the above code to the correct value from your Authgear application configuration page.

Now open src/App.tsx and create a new route for OAuthRedirect using the following code:

Remember to import OAuthRedirect in App.tsx:

To handle redirect in the Android project, add the following code to android/app/src/main/AndroidManifest.xml:

At this point, if you build your project and run it, you should be able to login successfully.

Step 7: Implement Logout

To implement Logout, we'll add a Logout button, an onClick handler, and a method that will call the logout() method of the Authgear SDK.

Add a Logout button to AuthenticationScreen component just below <p>Welcome user</p>:

Next, add a logout() method to AuthenticationScreen component:

Finally, implement the onClick method in AuthenticationScreen :

Step 8: Get UserInfo

The Authgear SDK offers a fetchUserInfo() method that can return details such as User ID, email, phone number, and so on about the current user. In this step, we'll demonstrate how to call fetchUserInfo in our app.

First, add a Fetch User Info button to your AuthenticationScreen component just below the Logout button:

Next, add a fetchUserInfo() method to the AuthenticationScreen component:

Finally, add the method that will handle click on the Fetch User Info button:

Step 9: Open User Settings Screen

Authgear provides a default User Settings page where your users can view details about their profile and change details or security settings like their password.

To allow users to open the settings page from your app, first add a User Settings button to you r AuthenticationScreen component just below the Fetch User Info button:

Now add an openUserSettings() method in AuthenticationScreen component:

Finally, implement the onClick method for the User Settings button:

Step 10: Deploy app to mobile

To deploy your app to a mobile device (for example Android) run the following commands:

First build your project by running:

Then sync the changes to the mobile project using this command:

You can run the project by opening the android project folder in Android Studio or ios folder in Xcode.

You can quickly open the project in Android Studio using the following command:

Or run the following command to open your project in Xcode for iOS:

Once your project builds successfully, you can try the Login, Signup, Fetch User Info, and Logout buttons.

Conclusion

Authgear Capacitor SDK makes it easier to use Authgear in your Ionic application. It provides many helpful methods and interfaces for interacting with the Authgear service from your Ionic application. To learn more about the SDK check . Also, check out the complete repo for the Authgear Ionic SDK example app .

Connect Mobile Apps to WeChat

WeChat Open Platform account (微信开放平台账号) is different from WeChat Official account (微信公众平台账号). Authgear supports integrating WeChat Login with a WeChat Open Platform account.

Prerequisite

Register a .
Register a Mobile Application (移动应用).
- For iOS, the Associated Domains and Universal Links supports are required in your app. See from Apple for details.
- For Android, the MD5 fingerprint of the signing keystore is required

See for more details.

WeChat login is incompatible with Passkey

Login with WeChat requires the use of WebKitWebViewUIImplementation which does not support the use of Passkey APIs. At the moment, either passkey or WeChat login can be enabled in your mobile applications.

Get the information from WeChat Open Platform

Once your mobile app is approved on the platform, you will see the word "✅已通过" in the app details page.

Get the appid (Client ID).

Get the appsecret (Client Secret). It will only be shown once. You need to re-generate if you lose it.

Get the 原始ID (Account ID) of your WeChat Open Platform account.

Sign in to the Authgear portal.
Select your project.
In the navigation menu, go to Authentication > Social / Enterprise Login.
Click Add Connection.

Integrate the WeChat SDK into your iOS app

You can skip this section if you do not have an iOS app.

This section assumes you install the WeChat SDK with .

To integrate the WeChat SDK into your iOS app, you have to read .

This section reminds you some of the important points that you may miss in the official integration guide.

Install the latest version of the WeChat SDK for iOS

The latest version can be found at As of the time of writing, the latest version is 2.0.4.

Specify your WeChat `appid` in Info.plist

Specify LSApplicationQueriesSchemes in Info.plist

In case you have other schemes, you need to make sure the WeChat ones are the first 50 items.

Make sure `OTHER_LDFLAGS` contains `-ObjC`

If you fail to do so, you will encounter .

The WeChat SDK for iOS depends on the Objective-C runtime. Therefore, your app has to link to the Objective-C runtime. To do so, you need to make sure OTHER_LDFLAGS contains -ObjC.

The -ObjC flag is so special in CocoaPods that you CANNOT add it with CocoaPods hook.

If your iOS app is written in , the app is likely to have OTHER_LDFLAGS including -ObjC already, as React Native depend on the Objective-C runtime.

In other case, you need to manually edit your Build Settings to include the -ObjC flag.

Add the integration code for the WeChat SDK for iOS

In your AppDelegate.swift

In your SceneDelegate (if you have one)

In your AppDelegate.h

In your AppDelegate.m

In your SceneDelegate.m (if you have one)

Integrate the WeChat SDK into your Android app

You can skip this section if you do not have an Android app.

To integrate the WeChat SDK into your Android app, you have to read .

This section reminds you some of the important points that you may miss in the official integration guide.

Install the latest version of the WeChat SDK for Android

The latest version can be found at As of the time of writing, the latest version is 6.8.34.

Declare `<queries>` in your `AndroidManifest.xml`

You need to declare in your AndroidManifest.xml that your app is supposed to query the existence of the WeChat app at runtime.

Add this to your AndroidManifest.xml.

Declare your callback Activity in your `AndroidManifest.xml`

The WeChat SDK opens the Activity PACKAGE_NAME.wxapi.WXEntryActivity. You need to implement that Activity and declare it in your AndroidManifest.xml.

Implement the callback Activity

The full Java name of the Activity must be PACKAGE_NAME.wxapi.WXEntryActivity. If the package name you tell WeChat Open Platform is com.myapp, then the full Java name of the Activity must be com.myapp.wxapi.WXEntryActivity.

Here is an example implementation that is based on BroadcastReceiver:

Make sure your Android app is signed by the keystore you tell WeChat Open Platform

On WeChat Open Platform, you need to tell it the MD5 fingerprint of the keystore you use to sign your Android app.

If you use Google Play Console to distribute your Android app, it is likely that you are using . With Play App Signing, you tell Google the fingerprint of the keystore you originally sign your app. Google removes the signature and uses its managed keystore to sign the app before distributing the app to Play Store. The final app running on the device of course bears the signature of the managed keystore. This is also the signature the WeChat SDK sees when it validates the signature.

To get the MD5 fingerprint of the managed keystore, refer to the following screenshot:

Note that the MD5 fingerprint you see on Google Play Console is a colon-delimited uppercase hex string, while WeChat Open Platform expects you to provide a plain lowercase hex string.

For example, suppose the MD5 fingerprint you get from Google Play Console is D4:1D:8C:D9:8F:00:B2:04:E9:80:09:98:EC:F8:42:7E, you can use the following shell command to do the conversion.

The output d41d8cd98f00b204e9800998ecf8427e is in the expected WeChat Open Platform format.

For those of you who produce the final signature of your app using your own keystore, you can use the following shell command to output the MD5 fingerprint.

Where

STORE_FILE is an environment variable pointing to the keystore file on your machine, for example, ./mykeystore.jks.
STORE_PASSWORD is an environment variable containing the password of the keystore.
KEY_ALIAS is an environment variable indicating which key in the keystore to use.

Configure Authgear SDK for WeChat

You have 2 actions to take:

Switch to WebKitWebViewUIImplementation when you initialize the Authgear SDK.
Implement the callback / delegate of WebKitWebViewUIImplementation.

Switch to `WebKitWebViewUIImplementation`

Implement the callback / delegate of `WebKitWebViewUIImplementation`

This section assume you have integrated the WeChat SDK according to

In particular,

In your AppDelegate.swift

In your MainActivity.java

In your React Native TypeScript code

In your iOS Native Module MyWeChatModule.h

In your iOS Native Module MyWeChatModule.m

In your WXApiDelegate

Appendix: Create mobile app on WeChat Open Platform

Prerequisite: A WeChat account is required for registering the app.

These information are required for creating the application on the platform, prepare them before creating the application:

Basic Information

Field

Meaning in English

Usage

App configuration

iOS

Bundle ID
测试 Bundle (Testing Bundle ID)
Universal Links
备用 Universal Links (Backup Universal Links)

Android

应用包名 (Package name)
应用签名 (App Signature)

Add Biometric Login

Overview

Biometric login is supported for the following operating systems:

iOS 11.3 or higher
Android 6.0 (API 23) or higher

Authgear supports enabling biometric login in the native mobile application. You will need to

Enable biometric login in your application via the portal.
In the mobile app, use the mobile SDK to enable biometric login for your users.

A pair of cryptographic keys will be generated upon registering biometric login. The private key will be stored securely in the device (using Keystore in Android and Keychain in iOS), while the public key is stored in the Authgear server. To authenticate the user, fingerprint or face is presented to unlock the private key, and a digital signed message is sent to the server to proof the authenticity of the user.

Fig 1.0. The following figure shows the sequence for enabling Biometric Login on a supported device:

The Client App that is already logged in to a user's account will check if biometrics is supported by the user's device. If the device supports biometric login, it is then enabled. The public key is sent to Authgear server and associated with the logged-in user's account.

The flow is then completed and biometric login is enabled for the user on the Client App.

Fig 2.0. The following figure shows the sequence for a user logging in with Biometric:

With biometric login already enabled for the user, the next time they need to log in they can initiate a biometric authentication flow which will follow the sequence shown in Fig 2.0 above. Once the biometric login is successful, Authgear server will return an access token and a refresh token. The client application can then use the access token to make authenticated requests.

Sounds overwhelming? Authgear's magic handles all these for you. Follow this guide to enable biometric login with a few lines of code in your app.

Enable biometric authentication for your project

In the portal, go to Authentication > Biometric.
Turn on Enable biometric authentication.
Save the settings.

Set reasonably short token lifetimes for client applications

Biometric login is usually used when you want the user to re-login after a relatively short period of time. For sensitive applications such as financial apps, it's recommended to use a short refresh token lifetime and a short idle timeout.

In the Authgear Portal, go to Applications
Select the client application that represent the integration with the mobile app
Set a short Refresh Token Lifetime to say 3,600 seconds (1 hour)
Enable Expire after idling

By doing so, the end-user's session will be expired 1 hour after their login, or after 30 minutes of inactivity. The end-user will need to authenticate themself again with biometric, even if the app process has not yet been killed.

Apart from the short token lifetimes, it's also common for sensitive apps to ask the user to re-login by biometric after the app process is killed and relaunched.

The SDK should be configured to use TransientTokenStorage so the tokens are stored in memory, and will be cleared when the app is closed. So the end-users must authenticate with biometrics again.

In the following section, we will show you how to use biometric login in the SDK. In the SDK code snippet, authgear is referring to the configured Authgear container.

Biometric options

Customize the biometric options to achieve the expected user experience.

iOS

There are 4 options on iOS:

localizedReason is the custom message to explain to the user why TouchID or FaceID is required.
localizedCancelTitle (optional) customizes the cancel button label.
policy constraints how the user is authenticated locally.

In summary, based on the desired behavior and business requirements, set the policy and constraint options as below.

Requirement

Policy

Constraint

Android

There are 6 options on Android:

title is the Title of the biometric dialog presented to the users
subtitle is the subtitle of the biometric dialog presented to the users
description is the description of the biometric dialog presented to the users

In summary, based on the desired behavior and business requirements, set allowedAuthenticatorsOnEnable and allowedAuthenticatosOnAuthenticate as below.

Code examples

Check support

Always check if the current device supports biometric login before calling any biometric API, including before enabling biometric login and before using biometrics to login.

Enable biometric login for logged in user

Check if biometric has been enabled before

Before asking the user to log in with biometric, Check if biometric login has been enabled on the current device. I.e. Is the key pair exist on the device (Keystore in Android and Keychain in iOS).

This method will still return true even if all the fingerprint and facial data has been removed from the device. Before this method, you should use the "checkBiometricSupported" to check if biometry is supported in the device level.

If biometric is supported and enabled, you can use the Authenticate Biometric method to log the user in. If the key pair is invalidated due to changes in the biometry settings, e.g added fingerprint or re-enrolled face data, the biometricPrivateKeyNotFound will be thrown. You should handle the error by the Disable Biometric method, and ask the user to register biometric login again.

Error handling

In all methods related to biometric, the SDK may throw the following errors that describe the status of the biometry enrollment or the key pair stored on the device.

Fall back to Device PIN/Password when Biometric Verification fails

You may want to provide an alternative means for users to log in when biometric verification fails on their devices. For example, in a case where a user's finger is dirty (touch-based) or when the user's face is covered (Face ID).

On iOS, you use deviceOwnerAuthenticationWithBiometrics during enable, and use deviceOwnerAuthentication during subsequent authentication.

On Android, you set allowedAuthenticatorsOnEnable and allowedAuthenticatosOnAuthenticate according to the example below.

The biometric pop-up will look like this after a failed biometric log-in attempt with BiometricLAPolicy.deviceOwnerAuthentication policy on iOS:

With the BiometricLAPolicy.deviceOwnerAuthenticationWithBiometrics policy, the biometric login pop-up will not include the Enter Passcode button. An example is shown below:

Authgear

Get Started

5-Minute Guide

Video Guide

1. Create Authgear account

2. Authgear Projects

3. Testing your signup/login page

4. User Settings Page

5. Integrate Authgear with Your Application or Website

6. View and Manage Your Users

7. Continue Exploring Authgear

Start Building

Integration Approaches

Single-Page App

Native/Mobile App

Using Authgear without SDK (Client side)

Supported grant types

Regular Web App

Backend/API Integration

AI Coding tools

Plug-and-Play Security with Authgear

Tips for using AI Codeing tools:

SAML Attribute Mapping

Authentication and Access

Authentication

Change Forgot/Reset Password settings

Enable Reset Password

Recovery via phone

How to Handle Password While Creating Accounts for Users

How to create a user and send the password via email

What happens if the user loses the preset password?

Reset Password for Users

How to reset a user's password via Authgear Portal

How to reset a user's password via AdminAPI

What happens if the user loses the preset password?

Add WhatsApp OTP Login

Add Email Magic Link Login

Disable Public Signup

When to Disable Public Signup

Custom Authentication Flow

Example 1: Verifying multiple identities during signup

Single Sign-on Overview

Force Authgear to Show Login Page

Social Login Providers

Connect Apps to GitHub

Prerequisite

Configure Sign in with GitHub through the portal

Connect Apps to LinkedIn

Prerequisite

Enterprise Login Providers

Connect Apps to Azure AD B2C

Prerequisite

Configure Sign in with Azure AD B2c through the portal

Force Login page

Force Social/Enterprise Login Providers to Show Login Screen

FAQ for Authentication

Tips for Apple App Store Review with Passwordless Login

How to enable "test mode"

Phone Number Validation

Integration

User Profiles

Mobile Apps

Integration with other Software

FAQ for Integration

5-Minute Guide

Video Guide

1. Create Authgear account

2. Authgear Projects

3. Testing your signup/login page

4. User Settings Page

5. Integrate Authgear with Your Application or Website

6. View and Manage Your Users

7. Continue Exploring Authgear

Start Building

Integration Approaches

Single-Page App

Social Login Providers

User Profiles

Mobile apps or single-page web applications

Client-side SDKs