Authentication Flows

Choose and implement an AuthOS OAuth, admin, device, or token lifecycle flow

AuthOS release 0.8.2 TypeScript SDK 0.8.0 Latest-only documentation

AuthOS supports several authentication flows for browser applications, administration surfaces, input-constrained devices, and long-lived sessions. Start with the flow that matches your client, then use the troubleshooting guide for risk challenges and common failures.

Choose a flow

Goal Guide Typical client
Sign end users in through an OAuth provider OAuth web redirect Browser or React application
Sign platform or organization administrators in Admin login Administration dashboard
Authenticate without an embedded browser or keyboard Device authorization CLI, mobile, IoT, or TV
Refresh, store, and revoke session tokens Tokens and sessions Any authenticated client
Respond to risk challenges and authentication errors Troubleshooting Any authentication flow

Prerequisites

Before you begin:

  • Install the SDK with npm install @drmhse/sso-sdk.
  • Record your AuthOS instance URL.
  • Configure an organization and service in the platform.
  • For redirect flows, register every production and development callback URI.

End-User OAuth Login (Web Redirect Flow)

Use the OAuth web redirect guide to initialize the SDK, redirect to a provider, process the callback, verify the session, and integrate the flow into React.

Admin Login (Platform & Organization Admins)

Use the admin login guide for elevated platform and organization administration surfaces.

Device Flow (CLIs and Mobile Apps)

Use the device authorization guide for RFC 8628 polling and verification experiences on CLIs, mobile applications, and other input-constrained devices.

Token Refresh Workflow

Use the tokens and sessions guide for token refresh, automatic retry, React session state, secure storage, and logout.

Risk-Based Authentication

Use the troubleshooting guide to detect and complete MFA risk challenges, test risk policies, handle SDK errors, and verify redirect URI configuration.

Best Practices

Token storage and security guidance now lives with tokens and sessions. Error and challenge guidance lives in troubleshooting.

Next Steps

Pages