Creates a new authentication client bound to a Faable Auth tenant.
The constructor kicks off FaableAuthClient.initialize in the background; you do not need to await anything before calling other methods. Prefer the createClient factory in app code — it has the same effect with less ceremony.
Tenant settings. domain and clientId are required and
throw synchronously when missing.
OptionalaudienceOptionalscopeCached session value last persisted by the client.
This is a synchronous accessor that returns whatever the client has already loaded into memory. It can lag behind storage (for example, across tabs before the broadcast event arrives) and never triggers a refresh. Prefer FaableAuthClient.getSession when you need an authoritative value, especially on the server.
The cached Session or null if no user is signed in.
Starts an OAuth / social login by redirecting the browser to the tenant's
/authorize endpoint for the chosen connection.
In browsers the SDK redirects the current window unless
skipBrowserRedirect is true; the call resolves to the authorization
URL so you can drive the navigation yourself. PKCE is used by default in
browsers, falling back to the implicit flow elsewhere. Prefer
connection_id when known — the backend resolves it without an extra
lookup; connection (by name) is kept for legacy tenants.
Completes a passwordless login by exchanging an OTP code for a session.
Pair this with FaableAuthClient.signInWithPasswordless called
with type: 'code'. On success the new session is persisted to storage
and a SIGNED_IN event is broadcast.
The user identifier and the OTP code they received.
Starts a passwordless login flow by emailing the user either an OTP code or a magic link.
type: 'code' sends a short code the user pastes into your UI; finish
the flow with FaableAuthClient.signInWithOtp.type: 'link' sends a clickable link that lands on your redirectUri
with the tokens already attached, processed by
FaableAuthClient.initialize on page load.The user's email and the delivery mechanism.
Signs the user in with a username + password against a database connection on the tenant.
The server responds with an HTML form that posts the user back to the
tenant's /login/callback to complete the OAuth flow; the SDK
auto-submits it from the current document. That is why the success path
resolves to { data: null, error: null } — the actual session lands on
the redirect target, not on this return value. Subscribe with
FaableAuthClient.onAuthStateChange to observe the resulting
SIGNED_IN event.
Redirects the current window to the tenant's /authorize endpoint.
Fire-and-forget: there is no return value because the browser navigates
away. The session lands back on your redirectUri, where
FaableAuthClient.initialize consumes it on the next page load.
Builds the tenant's /authorize URL without redirecting the browser.
Useful when you need to render a login link, open the page in a popup, or hand the URL to a different runtime (e.g. a webview). For the everyday "click → redirect" flow use FaableAuthClient.authorize or FaableAuthClient.signInWithOauthConnection.
The redirect target is resolved with this precedence:
options.redirectTo → config.redirectUri → window.location.origin.
The fully-qualified authorize URL.
Returns the session, refreshing it if necessary.
The session returned can be null if no user is signed in or the last
one has logged out.
IMPORTANT: This method loads values directly from the storage
attached to the client. If that storage is based on request cookies (for
example, on the server) the values in it may not be authentic and
therefore it's strongly advised against using this method and its
results in such circumstances — a warning will be emitted when the
storage exposes isServer: true. Re-fetch the user with a verified
call (or verify the access token yourself) before trusting it.
Subscribes to auth-state changes for this client.
The callback fires for INITIAL_SESSION once shortly after subscribing
(so consumers don't have to special-case "no event yet"), and then for
every SIGNED_IN, SIGNED_OUT, TOKEN_REFRESHED, PASSWORD_RECOVERY,
and USER_UPDATED event. Events are broadcast across tabs through
BroadcastChannel, so a sign-in or sign-out in one tab reaches every
other tab using the same storageKey.
Invoked with the event name and the new session (or
null on SIGNED_OUT). Can return a promise — the SDK awaits it.
{ data: { subscription } } — call subscription.unsubscribe()
to stop listening.
Forces a new session by exchanging a refresh token regardless of expiry.
Normally the SDK handles refresh transparently via the auto-refresh
ticker; call this only when you need to force an immediate refresh —
e.g. right after a server-side action that changed the user's claims.
Omit currentSession to reuse whatever FaableAuthClient.getSession
returns.
OptionalcurrentSession: { refresh_token: string }Optional session shape carrying the refresh token
to exchange. When passed it must include refresh_token.
Adopts an externally-provided session into the client.
Decodes the access token to find its expiry; refreshes immediately when
already expired, otherwise fetches the user info to round-trip the
session. Persists the result and broadcasts SIGNED_IN. An invalid
refresh or access token surfaces as error on the returned object.
Minimal session shape — an access token and a refresh token. Other fields are recomputed.
Starts an auto-refresh process in the background. The session is checked every few seconds. Close to the time of expiration a process is started to refresh the session. If refreshing fails it will be retried for as long as necessary.
If autoRefreshToken is enabled in the client config you don't need to
call this function, it will be called for you.
On browsers the refresh process works only when the tab/window is in the foreground to conserve resources as well as prevent race conditions and flooding auth with requests. If you call this method any managed visibility change callback will be removed and you must manage visibility changes on your own.
On non-browser platforms the refresh process works continuously in the background, which may not be desirable. You should hook into your platform's foreground indication mechanism and call these methods appropriately to conserve resources.
Triggers a "change your password" email for a database-connection user.
The current session is unaffected — the user clicks the link in the email and completes the reset on the tenant's hosted pages. The promise resolves once the email has been queued.
The user's email address.
Signs the user out and clears the session from storage.
In a browser context this removes the persisted session and broadcasts a
SIGNED_OUT event to every tab listening on the same storageKey. The
access token JWT itself remains valid until its exp — keep that
expiry short.
Scopes:
'global' (default) — invalidate all refresh tokens for the user'local' — only clear this client's storage'others' — invalidate every refresh token except this device's; no
SIGNED_OUT event is fired locallyInitializes the client session either from the URL or from storage.
Automatically called once from the constructor and idempotent — extra calls return the same in-flight promise. Call it explicitly when you need to await an OAuth, magic link, or password-recovery redirect to finish processing so you can surface any returned error.
A promise that resolves to { error } — non-null when the URL
carried a failure or storage was corrupt; never throws.
The main entry point of the SDK: an isomorphic client bound to a Faable Auth tenant that drives every authentication flow.
Prefer creating it through the createClient factory in app code. Once instantiated it begins loading its session in the background, so you can subscribe to auth-state and trigger sign-ins right away. The most common starting points are the sign-in methods and getSession.
See
Get Started with Faable Auth