Hep.gg

Login (OIDC) JavaScript SDK

Add Sign in with Hep.gg to a Node or TypeScript app with the hepgg package, including PKCE, token exchange, and ID token verification with no extra dependencies.

Login SDK

The hepgg package includes a dependency-free OIDC helper on the hepgg/login subpath. It builds the authorize URL, runs PKCE, exchanges and refreshes tokens, reads UserInfo, and verifies ID tokens against the JWKS with native crypto. No jose, no extra installs.

Install

flag
npm install hepgg --registry https://npm.hep.gg

The Whole Flow

Construct Login, send the user to the authorize URL, then exchange the code on your callback and verify the ID token.

import { Login, createPkce, randomString } from "hepgg/login";
 
const login = new Login({
  clientId: process.env.OIDC_CLIENT_ID,
  clientSecret: process.env.OIDC_CLIENT_SECRET, // omit for a public (PKCE-only) client
  redirectUri: "https://app.example.com/callback",
});
 
// 1) Start: stash these three in the user's session, then redirect.
const pkce = await createPkce();
const state = randomString();
const nonce = randomString();
const url = login.authorizeUrl({
  scope: ["openid", "profile", "email"],
  state,
  nonce,
  codeChallenge: pkce.challenge,
});
// redirect the user to `url`
 
// 2) Callback: check `state` matches, then exchange the code.
const tokens = await login.exchangeCode({ code, codeVerifier: pkce.verifier });
const claims = await login.verifyIdToken(tokens.id_token, { nonce });
console.log(claims.sub); // the stable user id, your primary key

scope always includes openid (the helper adds it if you forget). authorizeUrl returns a string; you do the redirect with your framework.

The Rest Of The Toolkit

await login.getUserInfo(tokens.access_token);  // claims for the granted scopes
const next = await login.refresh(refreshToken); // rotation-aware; store next.refresh_token
await login.revoke(token);                      // RFC 7009, on sign-out
login.endSessionUrl({ idTokenHint, postLogoutRedirectUri }); // logout URL

Options

new Login(options)
clientId
stringrequired
Your OAuth client id.
clientSecret
stringoptional
For confidential apps. Omit for public PKCE-only clients.
redirectUri
stringoptional
Default redirect URI. Must match a registered one exactly.
baseURL
stringoptionaldefault: https://hep.gg
Platform base URL.
issuer
stringoptionaldefault: https://hep.gg
Token issuer and JWKS origin.
tokenAuthMethod
stringoptional
client_secret_basic (default with a secret), client_secret_post, or none.

Token and verification failures throw a typed HepError, so a bad code or a token with the wrong audience is one catch away.

Full Reference

Integration, Scopes and claims, and Tokens and security.

LLM doc