---
title: Hep.gg Login (OIDC) JavaScript SDK (LLM)
description: Sign in with Hep.gg from Node/TypeScript via the hepgg package (PKCE, token exchange, JWKS verification).
---

# Hep.gg Login SDK (hepgg package)

Dependency-free OIDC helper for "Sign in with Hep.gg". Subpath: `hepgg/login`.
Part of the unified `hepgg` package. Node 20+. ID token verification uses native
webcrypto (no jose). Endpoints under https://hep.gg/api/v1/login/oauth/.

## Install

  npm install hepgg --registry https://npm.hep.gg

## Construct

  import { Login, createPkce, randomString, verifyJwt } from "hepgg/login";
  const login = new Login({ clientId, clientSecret?, redirectUri?, baseURL?, issuer?, tokenAuthMethod?, timeoutMs?, retries?, fetch? });

  clientId         string  required.
  clientSecret     string  optional. Confidential apps. Omit for public PKCE-only.
  redirectUri      string  optional default redirect URI (must match a registered one).
  baseURL          string  optional. Default https://hep.gg.
  issuer           string  optional. Default https://hep.gg. JWKS at issuer + /.well-known/jwks.json.
  tokenAuthMethod  string  "client_secret_basic" (default with secret) | "client_secret_post" | "none".

## Helpers

  createPkce() -> { verifier, challenge, method: "S256" }
  randomString(byteLength = 16) -> string   (for state / nonce)

## Methods

  authorizeUrl({ scope?, state?, nonce?, codeChallenge?, codeChallengeMethod?, redirectUri?, prompt?, extra? }) -> string
     scope: string | string[]; "openid" is added automatically. Returns the redirect URL.
  exchangeCode({ code, codeVerifier?, redirectUri? }) -> TokenResponse
  refresh(refreshToken, scope?) -> TokenResponse   (rotation-aware; store the new refresh_token)
  getUserInfo(accessToken) -> UserInfo
  verifyIdToken(idToken, { nonce?, clockToleranceSec? }) -> JwtClaims  (RS256 + iss/aud/exp checks)
  revoke(token, tokenTypeHint?) -> void   (RFC 7009)
  endSessionUrl({ idTokenHint?, postLogoutRedirectUri? }) -> string

TokenResponse: { access_token, id_token?, refresh_token?, token_type, expires_in, scope? }
UserInfo: { sub, email?, email_verified?, name?, nickname?, preferred_username?, picture?, groups?, ... }
Scopes: openid (required), profile, email, groups, offline_access (returns refresh_token).

## Errors

Failures throw HepError { status, code, service: "login", message, body }.
verifyIdToken throws on bad signature, iss/aud mismatch, expiry, or nonce mismatch.

## Part of the hepgg package

Also provides: hepgg/id, hepgg/sms, hepgg/email, hepgg/uploader, hepgg/paste,
hepgg/secrets, hepgg/ai, hepgg/logger (logger docs:
https://docs.teamhydra.dev/docs/logger/getting-started).
Full login reference: /llms/login/integration, /llms/login/scopes-and-claims, /llms/login/tokens-and-security.