An Authaz application. From the dashboard, grab Application ID, Client Secret, and Organization ID. Add http://localhost:3000/auth/callback as a redirect URI (and your production URL).
Authaz redirects users back to /auth/callback as a GET, but the handler expects a POST (so the auth code never ends up logged in browser history). Serve a tiny HTML page that re-POSTs:
authMiddleware() — fast, cookie-only check. Returns 401 if no session cookie:
import { authMiddleware } from "@authaz/hono";app.use("/api/protected/*", authMiddleware());app.get("/api/protected/data", (c) => { return c.json({ secret: "only signed-in users see this" });});
createAuthMiddleware({ authazDomain, apiKey }) — fetches the user via OIDC userinfo and attaches them to the context. Use when you actually need the user object:
import { createAuthMiddleware } from "@authaz/hono";const { requireUser, optionalUser } = createAuthMiddleware({ authazDomain: "https://auth.authaz.io", apiKey: process.env.AUTHAZ_API_KEY!,});app.use("/api/profile", requireUser);app.get("/api/profile", (c) => { const user = c.get("user"); return c.json({ user });});
optionalUser does the same fetch but does not 401 if the user is unauthenticated — useful for personalized public pages.
AUTHAZ_CLIENT_ID=app_01h... \AUTHAZ_CLIENT_SECRET=secret_... \AUTHAZ_ORGANIZATION_ID=0199... \npm run dev
Visit http://localhost:3000/api/auth/login — you'll be redirected to Universal Login. Sign up, get redirected back, and GET /api/auth/me will return your user.
Run the React quickstart on the same origin (or proxy /api/auth/* from your dev server) and the SDK on both sides will share the session cookie automatically. Vite proxy snippet:
