Docs/Add Hardware-Backed Sign-In to Your Application/ SvelteKit (oidc-client-ts)
View as .md

SvelteKit (oidc-client-ts)

See the Applications overview for prerequisites, configuration endpoints, and available scopes.

oidc-client-ts integrates with SvelteKit using Svelte 5 reactivity ($state and $derived). Key configuration:

  • No client secret needed (public client with PKCE, enabled by default)
  • Vouch does not issue refresh tokens — redirect the user to sign in again when the token expires
  • Uses sessionStorage for state persistence
  • The hardware attestation claim (hardware_verified) is in the access token JWT — decode with atob(token.split('.')[1]) after base64url character replacement

Example

spa/sveltekit — Complete working example with oidc-client-ts, Svelte 5 reactivity, PKCE, and hardware claim extraction.