@tilldev/auth-react
Provider + hooks for SPAs and Next.js apps. Auto-refresh, OAuth fragment capture, MFA, passkeys, optional cookie-mode for HttpOnly sessions. Works with React 18+ and React 19.
pnpm add @tilldev/auth-reactTillAuthProvider
Wrap your root once.
Props:
appId— your TillAuth public ID (tau_pub_…). Required.apiBase— override the API base. Defaults tohttps://auth.tilldev.dev.storagePrefix— storage key prefix. Defaults totau_.storage— custom storage. Defaults to localStorage in browser, in-memory otherwise.sessionMode—'local'(default) or'cookie'. See below.cookieProxyBase— whensessionMode='cookie', the base URL of your same-site proxy (typically/api/auth/*).
useSession · useUser · useAuthStatus
User has { id, email, email_verified, display_name, mfa_enrolled }. The provider auto-refreshes the access token 60 seconds before expiry, so session.access_token is always current.
useSignIn
useSignUp
useSignOut
useMfa
For TOTP challenges after a primary signin.
Passkeys
Session modes
Two ways to store and present the access token:
sessionMode: 'local' (default)
Tokens live in localStorage. The SDK setsAuthorization: Bearer <access_token> on its own fetches. You're responsible for adding the same header to your own backend calls — read it from useSession().access_token.
XSS that runs in your app can steal the token. Mitigations: strict CSP, no third-party scripts, sanitize all user-supplied HTML.
sessionMode: 'cookie'
Tokens live in HttpOnly cookies set by a same-site proxy you run atcookieProxyBase (usually /api/auth on your own backend). The SDK does credentials: 'include' on every request; cookies ride along automatically.
Use this when XSS-driven token theft matters more than cross-origin convenience. The matching backend helper is expressCookieProxy / createFetchHandler in @tilldev/auth-node.
OAuth fragments
When the user returns from an OAuth provider, the URL looks like?tau_session=<…>. The provider captures and consumes this on mount automatically, no extra wiring. Just make sure the redirect target renders <TillAuthProvider>.
Errors
TillAuthError is what the SDK throws on programmatic misuse. For typed runtime failures from signin/signup/etc., the hook returns a discriminated union and you branch onr.ok.
Server side: @tilldev/auth-node.