Docs/Add Hardware-Backed Sign-In to Your Application/ Vanilla JavaScript
View as .md

Vanilla JavaScript

See the Applications overview for prerequisites, configuration endpoints, and available scopes.

oidc-client-ts works with plain JavaScript — no framework required. It can be loaded via CDN (https://cdn.jsdelivr.net/npm/oidc-client-ts). Key configuration:

  • No client secret needed (public client with PKCE, enabled by default)
  • Vouch does not issue refresh tokens — redirect the user to sign in again when the token expires
  • Initialize UserManager and call signinRedirectCallback() on the callback page
  • Hardware attestation claims (hardware_verified, hardware_aaguid) are in the access token JWT — decode with atob(token.split('.')[1]) after base64url character replacement

Example

spa/vanilla-js — Complete working example with oidc-client-ts, PKCE, and hardware claim extraction.