User Auth (Client-Side)

In any situation where you're calling our API with a Niftory AppUser, this is the type of authentication you should use. If you're using your own User system, you can skip this portion of the guide.

To allow your users to sign in, set up their accounts, and interact with your application data, you'll have them log in via the OAuth authorization code grant. This is the way most OAuth providers authenticate end users, and most OAuth libraries will handle the flow for you automatically.

By default, this will authenticate the user as an AppUser. This will allow them to see and manage their own data within your application.

We currently support login via Google. In the future, we will support other OIDC providers, and wallet-only login as well.


In the sample app, user authentication is handled via next-auth:

Setting up the Niftory auth provider with NextAuth
const NIFTORY_AUTH_PROVIDER: Provider = {
  id: "niftory",
  name: "Niftory",
  type: "oauth",
  wellKnown: urljoin(
    process.env.NIFTORY_AUTH_SERVICE as string,
  authorization: { params: { scope: "openid email profile" } },
  clientId: process.env.NEXT_PUBLIC_CLIENT_ID,
  clientSecret: process.env.CLIENT_SECRET,
  checks: ["pkce", "state"],
  idToken: true,
  profile(profile) {
    return {
      id: profile.sub,
      image: profile.picture,
  httpOptions: {
    timeout: 10000,

export default NextAuth({
  callbacks: {
    // Seealso:
    jwt: async ({ token, user, account }) => {
      // user is only passed in at inital signIn.
      // Add authTime to token on signIn
      if (user) {
        token.authTime = Math.floor( / 1000);

      if (account?.id_token) {
        token.id_token = account.id_token;

      return token;
    session: async ({ session, token }) => {
      session.clientId = token.aud;
      session.userId = token.sub;
      session.authToken = token.id_token;

      return session;

Pay particular attention to

clientId: process.env.NEXT_PUBLIC_CLIENT_ID,
clientSecret: process.env.CLIENT_SECRET,

See Application Credentials for more details on these properties.

This can be replaced by any other authentication system - everything is standard OAuth.

Last updated