authentication
Overview
The Auth Api provides a complete set of authentication-related features, supporting various log-in methods, user management, and session management. The Auth Api is divided into 7 categories by purpose. Each category contains related Api methods, helping developers quickly find suitable APIs depending on specific needs.
- Authentication login: API method related to user registration and login, supporting various login methods.
- Session management: API method to manage user session status and token.
- User management: API method to get, update, and manage user information.
- Identity source management: API method to manage binding and unbinding of third-party identity sources.
- Password management: API method for password reset and modification. -Verification management: API method for Captcha sending, verify, and resend.
- Other tools: API method for other auxiliary features.
Basic Usage Examples
- Initialization Configuration
- Login status check
- User registration process
- User logout
- Password login
- Listen for authentication status
- Mobile captcha login
Publishable Key can go to Cloud Development Platform/API Key Configuration to generate
auth.detectSessionInUrl is an optional parameter for initialization. After configuration, it can automatically detect OAuth parameters (code, state) in the URL, suitable for usage scenarios such as signInWithOAuth and linkIdentity.
import cloudbase from "@cloudbase/js-sdk";
// Initialize it.
const app = cloudbase.init({
env: "your-env-id", // Replace this value with your environment ID
region: "ap-shanghai", // Region, defaults to Shanghai
accessKey: "", // Fill in the generated Publishable Key
auth: {
detectSessionInUrl: true, // Optional: automatically detect OAuth parameters in the URL, suitable for signInWithOAuth, linkIdentity
},
});
const auth = app.auth;
Check login status
async function checkAuthStatus() {
const { data, error } = await auth.getSession();
if (error) {
console.error("Check login status failed:", error.message);
return false;
}
if (data.session) {
console.log("user logged in:", data.session.user);
return true;
} else {
console.log("user not logged in");
return false;
}
}
// User registration example (four-step verification process)
async function registerUser(email, password, verificationCode) {
Step 1: Send verification code
const { data, error } = await auth.signUp({
email: email,
password: password,
});
if (error) {
console.error("Send Captcha failed:", error.message);
return false;
} else {
console.log("verification code sent, Validating...");
Step 2: Verify the Captcha and complete registration.
const { data: loginData, error: loginError } = await data.verifyOtp({
token: verificationCode,
});
if (loginError) {
console.error("Verification failed:", loginError.message);
return false;
} else {
console.log("register successfully:", loginData.user?.email);
return true;
}
}
}
// User logout example
async function logoutUser() {
const { data, error } = await auth.signOut();
if (error) {
console.error("Logout failed:", error.message);
return false;
} else {
console.log("logout successful, session cleared");
return true;
}
}
// Password login example
async function loginWithPassword(email, password) {
const { data, error } = await auth.signInWithPassword({
email: email,
password: password,
});
if (error) {
console.error("Login failed:", error.message);
return false;
} else {
console.log("Login successful:", data.user?.email);
return true;
}
}
// Listen for authentication status adjustment
auth.onAuthStateChange((event, session, info) => {
console.log("certification status transition:", event);
switch (event) {
case "INITIAL_SESSION":
console.log("initial session established");
if (session) {
console.log("user logged in:", session.user);
} else {
console.log("user not logged in");
}
break;
case "SIGNED_IN":
console.log("user login successful:", session.user);
break;
case "SIGNED_OUT":
console.log("user logged out");
break;
case "PASSWORD_RECOVERY":
console.log("password reset");
break;
case "TOKEN_REFRESHED":
console.log("Token refreshed");
break;
case "USER_UPDATED":
console.log("user information updated");
break;
case "BIND_IDENTITY":
console.log("identity source binding result");
break;
}
});
// Complete mobile captcha login page implementation
class PhoneLoginPage {
constructor() {
this.setupEventListeners();
}
// Set up event listening
setupEventListeners() {
document.getElementById("sendCodeBtn").addEventListener("click", (e) => {
e.preventDefault();
this.sendVerificationCode();
});
document.getElementById("verifyCodeBtn").addEventListener("click", (e) => {
e.preventDefault();
this.verifyCodeAndLogin();
});
}
// Send a Captcha
async sendVerificationCode() {
const phone = document.getElementById("phone").value;
if (!phone) {
alert("Enter your phone number");
return;
}
// Verify phone number format
if (!this.validatePhone(phone)) {
alert("Enter a valid mobile number format");
return;
}
// display loading...
this.showLoading(true);
this.hideError();
try {
const { data, error } = await auth.signInWithOtp({
phone: phone,
});
if (error) {
this.handleSendCodeError(error);
} else {
this.handleSendCodeSuccess(data);
}
} catch (error) {
this.handleNetworkError(error);
} finally {
this.showLoading(false);
}
}
// Verify the Captcha and log in
async verifyCodeAndLogin() {
const code = document.getElementById("code").value;
if (!code) {
alert("Enter the Captcha");
return;
}
if (!this.verifyFunction) {
alert("Please first send verification");
return;
}
this.showLoading(true);
this.hideError();
try {
const { data, error } = await this.verifyFunction({ token: code });
if (error) {
this.handleVerifyError(error);
} else {
this.handleLoginSuccess(data);
}
} catch (error) {
this.handleNetworkError(error);
} finally {
this.showLoading(false);
}
}
// Verify phone number format
validatePhone(phone) {
const phoneRegex = /^1[3-9]\d{9}$/;
return phoneRegex.test(phone);
}
// Handle sending Captcha successfully
handleSendCodeSuccess(data) {
this.verifyFunction = data.verifyOtp;
// Display the Captcha input area
document.getElementById("verificationSection").style.display = "block";
document.getElementById("phoneSection").style.display = "none";
// Start countdown
this.startCountdown(60);
document.getElementById("success").innerText =
The Captcha has been sent to your mobile phone. Please check your inbox.
document.getElementById("success").style.display = "block";
}
// Handle send verification error (using error code)
handleSendCodeError(error) {
switch (error.code) {
case "invalid_argument":
document.getElementById("error").innerText =
error.message || "Incorrect phone number format, please check and retry";
break;
case "not_found":
document.getElementById("error").innerText =
"This phone number is unregistered. Please first register or use another phone number";
break;
case "resource_exhausted":
document.getElementById("error").innerText = "Sending frequency too high, try again later";
break;
case "unreachable":
document.getElementById("error").innerText =
"Network connection failed, check the network settings";
break;
default:
document.getElementById("error").innerText =
"Send verification code failed: " + error.message;
}
document.getElementById("error").style.display = "block";
}
// Handle verification error (using error code)
handleVerifyError(error) {
switch (error.code) {
case "invalid_argument":
// Verification code expired/incorrect/mismatch
document.getElementById("error").innerText =
error.message || "Verification code expired or incorrect, please obtain again";
document.getElementById("resendBtn").style.display = "block";
break;
case "unauthenticated":
// Token expired, need to re-login
document.getElementById("error").innerText = "Login expired, please login again";
window.location.href = "/login";
break;
case "failed_precondition":
document.getElementById("error").innerText = error.message;
break;
case "not_found":
document.getElementById("error").innerText = "User not found";
break;
case "unavailable":
document.getElementById("error").innerText =
"Service temporarily unavailable, please try again later";
break;
case "unreachable":
document.getElementById("error").innerText =
"Network connection failed, check the network settings";
break;
default:
document.getElementById("error").innerText =
"Verification failed: " + error.message;
}
document.getElementById("error").style.display = "block";
}
handle successful login
handleLoginSuccess(data) {
document.getElementById("success").innerText = "Login successful. Welcome back";
document.getElementById("success").style.display = "block";
console.log("user information:", data.user);
console.log("session information:", data.session);
Navigate to the homepage after a delay
setTimeout(() => {
window.location.href = "/dashboard";
}, 2000);
}
Handle network error
handleNetworkError(error) {
document.getElementById("error").innerText =
Network error, check the network and try again after.
document.getElementById("error").style.display = "block";
console.error("network error:", error);
}
// Show/Hide loading...
showLoading(show) {
document.getElementById("loading").style.display = show ? "block" : "none";
document.getElementById("sendCodeBtn").disabled = show;
document.getElementById("verifyCodeBtn").disabled = show;
}
// Hide error message
hideError() {
document.getElementById("error").style.display = "none";
}
// Start countdown
startCountdown(seconds) {
let countdown = seconds;
const btn = document.getElementById("resendBtn");
const originalText = btn.innerText;
btn.disabled = true;
const timer = setInterval(() => {
countdown--;
btn.innerText = `${countdown}s to resend`;
if (countdown <= 0) {
clearInterval(timer);
btn.disabled = false;
btn.innerText = originalText;
}
}, 1000);
}
}
// Initialize after the webpage loads
window.addEventListener("DOMContentLoaded", () => {
new PhoneLoginPage();
});
Authentication login
signUp
async signUp(params: SignUpReq): Promise<SignUpRes>
Register new user account, use intelligent signup and login process.
Phone number verification code registration is only supported in the Shanghai region
-Create a new user account -Use intelligent signup and login process: send verification code → wait for user input → intelligently determine user existence → automatically log in or register and log in. -If the user already exists, log in directly. If the user does not exist, register a new user and automatically log in.
参数
返回
示例
signInAnonymously
async signInAnonymously(params?: SignInAnonymouslyReq): Promise<SignInRes>
Anonymous login, create a temporary anonymous user account.
-Create a temporary anonymous user account -No need to provide any authentication information -Suitable for scenarios where temporary access permission is required -Before using, please confirm that anonymous login (enabled by default) is enabled in Cloud Development Platform/Identity Verification/Registration Configuration.
参数
返回
示例
signInWithPassword
async signInWithPassword(params: SignInWithPasswordReq): Promise<SignInRes>
Log in with userName, mailbox, or phone number and password.
-Support username, mailbox, or mobile number in conjunction with password as log-in methods (choose one). -Before using, please confirm that username and password login (enabled by default) is enabled in Cloud Development Platform/Identity Verification/Regular Login.
参数
返回
示例
signInWithOtp
async signInWithOtp(params: SignInWithOtpReq): Promise<SignInWithOtpRes>
Use one-time password (OTP) for login validation, supporting mailbox and SMS verification.
SMS verification code is only supported in the Shanghai region
- Send a one-time verification code via mailbox or mobile number for login validation.
- Support the full verification process: send Captcha → wait for user input → verify and log in.
- Suitable for passwordless login scenarios, offering higher security
- Before using, please confirm that log in via mailbox/SMS verification code is enabled in Cloud Development Platform/Identity Verification/Log-in Methods/Regular Login.
- If the user does not exist, a default registered user will be created. The automatic creation of the user can be controlled through the
shouldCreateUserparameter, which is set to true by default
参数
返回
示例
signInWithOAuth
async signInWithOAuth(params: SignInWithOAuthReq): Promise<SignInOAuthRes>
Generate authorization links for third-party platforms, supporting mainstream platforms such as WeChat and Google.
-Generate the authorization page URL for third-party platforms such as WeChat and Google. -Store status information in the browser session so that follow-up verification
- Support custom callback address and status parameter
- Before using, please confirm that the corresponding OAuth identity source is enabled in Cloud Development Platform/Identity Verification/Log-in Methods.
Must-Knows
- After calling this method, status information will be automatically saved to the browser session. When setting
auth.detectSessionInUrltotruein cloudbase.init, it will automatically call verifyOAuth to verify after returning from a third-party callback, otherwise you need to manually verify via the verifyOAuth method subsequently. - If no state parameter is provided, the system automatically generates a status parameter in
prd-{provider}-{random string}format -The callback URL needs to be configured in the protected domains of the Cloud Development Platform, otherwise it will return a permission error.
参数
返回
示例
signInWithIdToken
async signInWithIdToken(params: SignInWithIdTokenReq): Promise<SignInRes>
Log in with a third-party platform identity token, supporting mainstream platforms such as WeChat and Google.
-Log in with a third-party platform identity token, such as WeChat and Google. -Support specifying third-party platform identification. Third-party platforms must be configured in Cloud Development Platform/Identity Verification/Login Methods first. -Token is a required parameter
参数
返回
示例
signInWithCustomTicket
async signInWithCustomTicket(getTickFn: GetCustomSignTicketFn): Promise<SignInRes>
Use custom login invoice to log in, support complete custom login process.
-Use custom login ticket to authenticate -Support passing functions to obtain custom login invoice
- Suitable for scenarios requiring a complete custom login process
- For the detailed process of issuing a Ticket, see Custom Login
参数
Function to get custom login invoice, return Promise<string>
返回
示例
signInWithOpenId
async signInWithOpenId(params?: SignInWithOpenIdReq): Promise<SignInRes>
WeChat mini program OpenID silent login. If the user does not exist, it will determine whether to automatically register based on the login mode configuration of the corresponding identity source in the Cloud Development Platform login methods (https://tcb.cloud.tencent.com/dev?envId=#/identity/login-manage).
Only supported for use in WeChat mini program
参数
Login parameters
返回
示例
signInWithPhoneAuth
async signInWithPhoneAuth(params: SignInWithPhoneAuthReq): Promise<SignInRes>
WeChat mini program mobile phone authorization login. If the user does not exist, it will determine whether to automatically register based on the login mode configuration of the corresponding identity source in the Cloud Development Platform login methods (https://tcb.cloud.tencent.com/dev?envId=#/identity/login-manage).
Only supported for use in WeChat mini program
参数
Login parameters
返回
示例
Session Management
getSession
async getSession(): Promise<SignInRes>
Retrieve current session info and check user login status.
-Retrieve current user session information, including access token and user information. -Check whether the user is logged in. Returns an empty session if not logged in
参数
无参数
返回
示例
refreshSession
async refreshSession(refresh_token?: string): Promise<SignInRes>
Refresh the session token, extend user login status, support auto-renewal and error recovery.
-Use a refresh token to get a new access token -Extend the valid period of user sessions -Supports the use of designated refresh tokens or default tokens
参数
返回
示例
setSession
async setSession(params: SetSessionReq): Promise<SignInRes>
Use existing access token and refresh token to set user session, support external system integration and manual session management.
-Use existing access_token and refresh_token to set user session -Suitable for scenarios where tokens are obtained from an external system and sessions are set manually. -Session set successfully triggers SIGNED_IN event
参数
返回
示例
signOut
async signOut(params?: SignOutReq): Promise<SignOutRes>
User logout, clear the current session and local storage.
-Log out current user login status securely -Clear server-side session and local storage -Support redirect to specified page
- Trigger authentication status change event
参数
返回
示例
User Management
getUser
async getUser(): Promise<GetUserRes>
Obtain currently logged in user detailed information, include identity information, metadata and permission status, support user profile show and permission verification.
- Obtain currently logged in user complete information -including basic user information, metadata and identity information Users are advised to be logged in to obtain the complete information -Support checking user permissions and verification status
参数
无参数
返回
示例
refreshUser
async refreshUser(): Promise<CommonRes>
Refresh current logged-in user information.
-Refresh current logged-in user complete information
- Re-fetch the latest user data from the server
- Suitable for scenarios where user information may be updated but local cache is unsynced User must be logged in to refresh info
参数
无参数
返回
示例
updateUser
async updateUser(params: UpdateUserReq): Promise<GetUserRes>
Update current logged-in user info.
-Password update not supported. Please use resetPasswordForEmail, resetPasswordForOld, or reauthenticate to update password. -Update current logged-in user basic info and metadata -Support updating mailbox, mobile number, username, nickname, avatar, etc. -Users are advised to be logged in to update information Return upon success after update user information
参数
返回
示例
deleteUser
async deleteUser(params: DeleteMeReq): Promise<CommonRes>
Delete the current logged-in user account.
-Permanently delete the current logged-in user account. -Verify user password to confirm identity -Once deleted, all user data will be permanently removed. -Irreversible operation. Use with caution.
参数
返回
示例
Identity Source Management
getUserIdentities
async getUserIdentities(): Promise<GetUserIdentitiesRes>
Retrieve all identity sources bound to the current user.
-Retrieve all third-party identity sources. Related identity sources can be configured in Cloud Development Platform/Identity Verification/Login Methods. -Return the detailed information of the identity source, including platform identifier, identity source ID, binding time.
- Users must be logged in to retrieve identity source information.
参数
无参数
返回
示例
linkIdentity
async linkIdentity(params: LinkIdentityReq): Promise<LinkIdentityRes>
Bind a new identity source to the current user, and it will automatically redirect to the third-party OAuth authorization page.
- Bind a new third-party identity source to the current logged-in user. It supports binding third parties such as WeChat, Google, and GitHub. The identity source needs to be configured in Cloud Development Platform/Identity Verification/Login Methods first. -Binding succeeded. Users can use this identity source to log in.
- User must be logged in to bind an identity source.
- When setting
auth.detectSessionInUrltotruein cloudbase.init, it will automatically call verifyOAuth to verify after returning from a third-party callback, otherwise you need to manually verify via the verifyOAuth method subsequently.
参数
返回
示例
unlinkIdentity
async unlinkIdentity(params: UnlinkIdentityReq): Promise<CommonRes>
Unbind the identity source bound to the current user.
-Unbind the third-party identity source bound to the current logged-in user. Related identity sources can be configured in Cloud Development Platform/Identity Verification/Login Methods. -Unbinding is successful. Reload the identity source list. -Use the identity source flag (provider) instead of the identity source ID (identity_id) to proceed with unbinding.
参数
返回
示例
Password Management
resetPasswordForEmail
async resetPasswordForEmail(email: string): Promise<ResetPasswordForEmailRes>
Resetting user password via mailbox, using a four-step verification process.
-Sending Captcha via mailbox to reset user password -Use a four-step verification process: send verification code → wait for user input → verify verification code → set new password. -User email must be registered and verified.
参数
Email address for user registration
返回
示例
resetPasswordForOld
async resetPasswordForOld(params: ResetPasswordForOldReq): Promise<SignInRes>
Reset the password of the current logged-in user using the old password.
-Reset the password of the current logged-in user by verifying the old password. -Users are advised to be logged in -Suitable for scenarios where users remember the old password
参数
返回
示例
reauthenticate
async reauthenticate(): Promise<ReauthenticateRes>
Re-authenticate the current logged-in user identity through verification code verification and allow the modification of the password.
SMS verification code is only supported in the Shanghai region
-Re-authenticate the present logged-in user identity and support update password. -Verify by sending a verification code to the user's registered mailbox or mobile number, giving priority to the mailbox. If the mailbox is not set by the user, use the mobile number. -Applicable to identity verification before security-sensitive operations
参数
无参数
返回
示例
Verification Management
verifyOAuth
async verifyOAuth(params?: VerifyOAuthReq): Promise<SignInRes>
Verify third-party platform authorization callback and complete the OAuth login process.
-Verify third-party platform authorization callback, retrieve user information and complete login, can be used in conjunction with signInWithOAuth
- Support automatically obtaining authorization code and status parameter from URL parameter -Provide complete security verification mechanism to prevent CSRF attack
参数
返回
示例
verifyOtp
async verifyOtp(params: VerifyOtpReq): Promise<SignInRes>
Verify the one-time password (OTP) to complete login or sign-up process.
SMS verification code is only supported in the Shanghai region
-Verify the one-time password (OTP) sent to your mailbox or mobile number. -Support two verification methods: mailbox or mobile number (choose one).
- After successful verification, automatically log in the user and return session information
- Suitable for registration, login, password reset, and other scenarios
参数
返回
示例
resend
async resend(params: ResendReq): Promise<ResendRes>
Resend Captcha to mailbox or mobile number.
SMS verification code is only supported in the Shanghai region
-Resend Captcha to user's mailbox or mobile number -Support registration, mailbox update, mobile number update, and other scenarios -Resend to get a new message ID for the verification process -Provide rate limit protection to prevent malicious resend
参数
返回
示例
Other tools
onAuthStateChange
onAuthStateChange(callback: OnAuthStateChangeCallback): OnAuthStateChangeResult
Listen for authentication status changes and respond to events such as login, logout, and token refresh in real time.
- Listen for user authentication status change events -Support various event types: login, logout, token refresh, user information update, identity source bind. -Return the subscription object for cancel listening -Suitable to build responsive UI and status management
参数
callback function for state changes
返回
示例
getClaims
async getClaims(): Promise<GetClaimsRes>
Retrieve the claim info from the current access token for debug and permission check.
-Parse the JWT claim info in the current access token -Return the header, claim, and signature of the token. -For debug token info, check permissions and verify token status. -Users are advised to be logged in to obtain token info
参数
无参数
返回
示例
toDefaultLoginPage
async toDefaultLoginPage(params: authModels.ToDefaultLoginPage): Promise<void>
Redirect to the default login page, fully compatible with web and WeChat mini program.
-Support redirection to the system default login page -Compatible with Web and WeChat mini program.
- Configurable login page version and redirect address
- Support carrying custom parameters and redirect
Local debugging
If you develop a Web application, since the static resources of the __auth login page are stored in Website Hosting, you need to configure a proxy during local debugging to successfully redirect to the __auth login page.
Recommended to use the Whistle tool to configure proxy. The access domain of the __auth login page can be viewed in Static Website Hosting - Configuration Message - Default Domain Name.
Assuming the access address of the locally started application is http://localhost:3000 and the access domain of the __auth login page is lowcode-xxx-xxx.tcloudbaseapp.com, the Whistle proxy Rules configuration is as follows:
https://lowcode-xxx-xxx.tcloudbaseapp.com http://localhost:3000
# Configure proxy for other application paths
After running the application, you can access it at https://lowcode-xxx-xxx.tcloudbaseapp.com.
参数
返回
示例
Error Code
Login error
| Error Code | Description |
|---|---|
| not_found | User does not exist |
| password_not_set | The current user has not set a password. Please use Captcha or third-party login method |
| invalid_password | Incorrect Password |
| user_pending | User not activated |
| user_blocked | User disabled |
| invalid_status | You have exceeded the maximum number of retries for password, please retry later |
| invalid_two_factor | MFA code mismatched or outdated |
Registration error
| Error Code | Description |
|---|---|
| failed_precondition | The mobile number or mailbox you input has been registered, please use another number |
Captcha Related Errors
| Error Code | Description |
|---|---|
| failed_precondition | Failed to obtain user information from third party |
| resource_exhausted | Attempt too frequent, try again later |
| invalid_argument | The input Captcha is incorrect or expired |
| aborted | Too many attempts, back to homepage and try again later |
| permission_denied | Your current session expired, back and retry |
| captcha_required | Need to enter Captcha, based on anti-robot service access |
| captcha_invalid | Incorrect Captcha, based on anti-robot service access |
Other Errors
| Error Code | Description |
|---|---|
| unreachable | Network error, check your network connection and try again later |
Error Description
| Error Code | Error Description | Description |
|---|---|---|
| permission_denied | cors permission denied, please check if {url} is in your client {env} domains | please check whether the secure domain name {url} is already configured for the {env} environment in "cloud Development Platform/Environment Configuration/Secure source/Protected domains" (https://tcb.cloud.tencent.com/dev?envId=#/env/safety-source). It will take effect 10 minutes after configuration. |
Complete type definition
SignInAnonymouslyReq
Anonymous login parameter
interface SignInAnonymouslyReq {
provider_token?: string; // Provider token (optional)
}
User
interface User {
id: any; // User ID
aud: string; // Audience
role: string[]; // User role
email: any; // Email
email_confirmed_at: string; // Email confirmation time
phone: any; // Phone number
phone_confirmed_at: string; // Mobile number confirmation time
confirmed_at: string; // Confirmation time
last_sign_in_at: string; // Last login time
app_metadata: {
app_metadata: {
provider: any; // Provider
providers: any[]; // Provider list
};
user_metadata: {
user_metadata: {
name: any; // Name
picture: any; // Avatar
username: any; // Username
gender: any; // Gender
locale: any; // Region
uid: any; // User ID
nickName: any; // Nickname
avatarUrl: any; // Avatar URL
location: any; // Location
hasPassword: any; // Whether there is a password
};
identities: any; // Identity information
created_at: string; // Creation time
updated_at: string; // Update time
is_anonymous: boolean; // Anonymous or not
// Add a field.
recovery_sent_at?: string; // Password reset send time
email_change_sent_at?: string; // Email change send time
phone_change_sent_at?: string; // Phone number change send time
new_email?: string; // New email address
new_phone?: string; // New phone number
}
Session
interface Session {
access_token: string; // Access token
refresh_token: string; // Refresh token
expires_in: number; // Expiration time (seconds)
token_type: string; // Token type
user: User; // User information
// Add a field.
provider_token?: string; // Third-party platform token
provider_refresh_token?: string; // Third-party platform refresh token
expires_at?: number; // Expiry timestamp
issued_at?: number; // Issuance timestamp
scope?: string; // Authorization scope
token_id?: string; // Token ID
}
AuthError
// Authentication error type
interface AuthError extends Error {
code: (string & {}) | undefined; // Error code
category: AuthErrorCategory; // Error category for business logic handling
requestId?: string; // Request ID
status: number | undefined; // HTTP Status Code
helpMessage?: string; // Help message with error handling suggestions
retryAfter?: number; // Retry wait seconds when rate limited
// Common error codes
// 400: Client Error
// - invalid_argument: Invalid argument (incorrect email or phone number format)
// - invalid_password: Invalid password format
// - user_not_found: User does not exist
// - already_exists: Email already exists
// - phone_already_exists: Mobile number already exists
// - username_already_exists: Username already exists
// - invalid_code: Invalid verification code
// - code_expired: Captcha expired
// - max_attempts_exceeded: Too many verification attempts
// - password_too_weak: Password strength is insufficient
// - invalid_token: Token invalid
// - token_expired: Token expired
// - state_mismatch: State parameter mismatch
// - provider_not_supported: Unsupported third-party platform
// - provider_mismatch: Third-party platform flag mismatch
// - failed_precondition: Precondition failed
// - permission_denied: Insufficient permissions
// - resource_exhausted: Resource exhaustion
// - unreachable: Network connection failed
// - invalid_argument: Parameter error (verification code incorrect or expired)
// - not_found: User not found (verify phase)
// - unauthenticated: Token verification failed
// - unauthorized_client: Client verification failed
// 500: Server Error
// - internal_error: Internal Server Error
// - service_unavailable: Service unavailable
}
// Error category enum
enum AuthErrorCategory {
RATE_LIMITED = "RATE_LIMITED", // Rate limited
CAPTCHA_REQUIRED = "CAPTCHA_REQUIRED", // Captcha required
CAPTCHA_INVALID = "CAPTCHA_INVALID", // Captcha verification failed
INVALID_CREDENTIALS = "INVALID_CREDENTIALS", // Invalid credentials (wrong password, Token expired, etc.)
USER_NOT_FOUND = "USER_NOT_FOUND", // User not found
INVALID_PARAMS = "INVALID_PARAMS", // Parameter format error
PROVIDER_NOT_ENABLED = "PROVIDER_NOT_ENABLED", // Login method not enabled
MFA_REQUIRED = "MFA_REQUIRED", // Multi-factor authentication required
SERVICE_ERROR = "SERVICE_ERROR", // Server error
NETWORK_ERROR = "NETWORK_ERROR", // Network unreachable
PRECONDITION_FAILED = "PRECONDITION_FAILED", // Precondition not met (account already bound, etc.)
VERIFICATION_FAILED = "VERIFICATION_FAILED", // Verification code check failed (expired/incorrect/mismatch)
UNKNOWN = "UNKNOWN", // Other uncategorized errors
}
CommonRes
// Common response parameters
interface CommonRes {
data: {}; // empty object on success
error: AuthError | null; // Error info. null on success
}
SignUpReq
// User registration parameters (four-step verification process)
interface SignUpReq {
email?: string; // Email address (optional, choose either this or mobile number)
phone?: string; // Mobile number (optional, choose either this or email address)
password: string; // Password (required)
username?: string; // Username (optional), length 5-24 characters, supports Chinese and English letters, numbers, special characters (only _- allowed), Chinese characters are not allowed
nickname?: string; // Nickname (optional)
avatar_url?: string; // Avatar URL (optional)
gender?: "MALE" | "FEMALE"; // Gender (optional)
}
SignOutReq
// User logout parameter
interface SignOutReq {
options?: {
// Configuration option (optional)
redirectTo?: string; // Redirection address after logout
clearStorage?: boolean; // Whether to clear local storage (default true)
};
}
SignInWithPasswordReq
// Password login parameter
interface SignInWithPasswordReq {
username?: string; // Username (optional, choose one among username, mailbox, or phone number), length 5-24 characters, supports Chinese and English letters, numbers, special characters (only _- allowed), Chinese characters are not allowed
email?: string; // Email address (optional, choose one among email address, username, or mobile number)
phone?: string; // Mobile number (optional, choose one among mobile number, username, or email address)
password: string; // Password (required)
is_encrypt?: boolean; // Encrypted or not; false by default
}
SignInWithIdTokenReq
// ID token login parameter
interface SignInWithIdTokenReq {
provider?: string; // Third-party platform flag (optional)
token: string; // Third-party platform identity token (required)
// Add a field.
provider?: string; // Third-party platform flag (optional, duplicate parameter with provider, reserved for compatibility)
}
SignInWithOtpReq
// OTP login parameter
interface SignInWithOtpReq {
email?: string; // Email address (optional, choose either this or mobile number)
phone?: string; // Mobile number (optional, choose either this or email address)
options?: {
shouldCreateUser?: boolean; // If the user does not exist, create a new user, default true
};
}
SignInWithOAuthReq
// OAuth authorization parameter
interface SignInWithOAuthReq {
provider: string; // Third-party platform flag (required)
options?: {
// Configuration option (optional)
redirectTo?: string; // Callback URL, defaults to current page
skipBrowserRedirect?: boolean; // Whether to navigate to the authorization page, default false
state?: string; // Status parameter, used for security verification, defaults to a random string (format: prd-{provider}-{random string})
queryParams?: Record<string, string>; // Additional query parameters, which will be merged into the authorization URI
type?: "sign_in" | "bind_identity"; // Type (optional), defaults to 'sign_in', sign_in: sign in, bind_identity: bind identity
};
}
SetSessionReq
// Session setting parameter
interface SetSessionReq {
access_token: string; // Access token (required)
refresh_token: string; // Refresh token (required)
}
VerifyOAuthReq
// OAuth verification parameter
interface VerifyOAuthReq {
code?: string; // Authorization code (optional, default from URL parameter access)
state?: string; // Status parameter (optional, default from URL parameter access)
provider?: string; // Third-party platform flag (optional, default from session retrieval)
}
VerifyOtpReq
// OTP verification parameter
interface VerifyOtpReq {
type?:
| "sms"
| "phone_change"
| "signup"
| "invite"
| "magiclink"
| "recovery"
| "email_change";
email; // Validation type (optional)
email?: string; // Email address (optional, choose either this or mobile number)
phone?: string; // Mobile number (optional, choose either this or email address)
token: string; // Captcha (required)
messageId: string; // ID corresponding to the verification code (required)
}
UpdateUserReq
// User information update parameters
interface UpdateUserReq {
email?: string; // Email address
phone?: string; // Phone number
username?: string; // Username (optional), length 5-24 characters, supports Chinese and English letters, numbers, special characters (only _- allowed), Chinese characters are not allowed
description?: string; // Description (optional)
avatar_url?: string; // Avatar URL (optional)
nickname?: string; // Nickname (optional)
gender?: "MALE" | "FEMALE"; // Gender (optional)
}
LinkIdentityReq
// Identity source bind parameter
interface LinkIdentityReq {
provider: string; // Identity source flag (required)
}
UnlinkIdentityReq
// Identity source unbind parameter
interface UnlinkIdentityReq {
provider: string; // Identity source flag (required)
}
ReauthenticateReq
// Re-authenticate parameter
interface ReauthenticateReq {
// No input parameters, use the current logged-in user info
}
ResendReq
// Resend verification code parameter
interface ResendReq {
email?: string; // Email address (optional, choose either this or mobile number)
phone?: string; // Mobile number (optional, choose either this or email address)
type?: "signup" | "email_change" | "phone_change" | "sms"; // Type (optional)
}
ResendRes
// Resend verification code response parameter
interface ResendRes {
data: {
messageId?: string; // Message ID (Captcha ID)
};
error: AuthError | null; // Error info. null on success
}
SignInWithOtpRes
// OTP login response parameter
interface SignInWithOtpRes {
data: {
verifyOtp?: (params: {
token: string;
messageId?: string;
}) => Promise<SignInRes>; // Captcha callback function, supports messageId parameter
};
error: AuthError | null; // Error info. null on success
}
SignUpRes
// User registration response parameter
interface SignUpRes {
data: {
verifyOtp?: (params: {
token: string;
messageId?: string;
}) => Promise<SignInRes>; // Captcha callback function, supports messageId parameter
};
error: AuthError | null;
}
SignInOAuthRes
// OAuth authorization response parameter
interface SignInOAuthRes {
data: {
url?: string; // Authorization page URL
provider?: string; // Third-party platform flag
scopes?: string; // Authorization scope
};
error: AuthError | null; // Error info. null on success
}
LinkIdentityRes
// Identity source bind response parameter
interface LinkIdentityRes {
data: {
provider?: string; // Bound identity source flag
type?: "sign_in" | "bind_identity" | ""; // Type (optional), defaults to 'sign_in', sign_in: sign in, bind_identity: bind identity
};
error: AuthError | null; // Error info. null on success
}
Identity
interface Identity {
id: string; // Identity source flag
name: string; // Identity source name
picture: string; // Avatar URL
}
GetUserIdentitiesRes
// Identity source retrieval response parameter
interface GetUserIdentitiesRes {
data: {
identities?: Array<{
id: string; // Identity source flag
name: string; // Identity source name
picture: string; // Avatar URL
}>;
};
error: AuthError | null; // Error info. null on success
}
GetClaimsRes
// Declaration information acquisition response parameter
interface GetClaimsRes {
data: {
// token claim info
claims?: {
iss: string; // issuer
sub: string; // subject
aud: string; // audience
exp: number; // expiration time
iat: number; // issued at
at_hash: string; // access token hash
name: string; // Name
picture?: string; // Avatar URL
email?: string; // Email
phone_number?: string; // Phone number
scope: string; // Authorization scope
project_id: string; // Project ID
provider?: string; // Third-party platform flag
provider_type?: string; // Third-party platform type
groups?: string[]; // User group
meta?: {
wxOpenId?: string;
wxUnionId?: string;
};
user_id: string; // uid
roles: string[]; // Role
user_type: string; // Type of user
client_type: string; // Client type
is_system_admin: boolean; // System admin
};
// token header information
header?: {
alg: string; // Encryption algorithm
kid: string; // Token ID
};
signature?: string; // Token signature
};
error: AuthError | null; // Error info. null on success
}
ResetPasswordForOldReq
// Reset password parameter with old password
interface ResetPasswordForOldReq {
new_password: string; // New password (required)
old_password: string; // Old password (required)
}
DeleteMeReq
// Current user deletion parameter
interface DeleteMeReq {
password: string; // User password (required)
}
SignInRes
// Login response parameter
interface SignInRes {
data: {
user?: User; // User information
session?: Session; // Session information
};
error: AuthError | null; // Error info. null on success
}
GetUserRes
// User information retrieval response parameter
interface GetUserRes {
data: {
user?: User; // User details
};
error: AuthError | null; // Error info. null on success
}
OnAuthStateChangeEvent
// Authentication status change event type
type OnAuthStateChangeEvent =
| "SIGNED_OUT" // User logged out
| "SIGNED_IN" // User login successful
| "INITIAL_SESSION" // Initial session established
| "PASSWORD_RECOVERY" // Password reset
| "TOKEN_REFRESHED" // Token refreshed
| "USER_UPDATED" // User information updated
| "BIND_IDENTITY"; // Identity source binding result
OnAuthStateChangeCallback
// Authentication status change callback function type
type OnAuthStateChangeCallback = (
event: OnAuthStateChangeEvent,
session: Session
) => void;
ResetPasswordForEmailRes
// Mailbox password reset response parameter
interface ResetPasswordForEmailRes {
data: {
updateUser?: (attributes: UpdateUserAttributes) => Promise<SignInRes>; // Captcha callback function, supports new password parameter
};
error: AuthError | null; // Error info. null on success
}
UpdateUserAttributes
// User attribute update parameters
interface UpdateUserAttributes {
nonce: string; // Captcha
password: string; // New password
}
ReauthenticateRes
// Re-authenticate response parameter
interface ReauthenticateRes {
data: {
updateUser?: (attributes: UpdateUserAttributes) => Promise<SignInRes>; // Captcha callback function, supports new password parameter
};
error: AuthError | null; // Error info. null on success
}