An authentication session manager for OpenID Connect using PKCE.
The session manager will keep the user's session permanently active until they either explicitly logout, or the authentication server denies a refresh attempt.
- Automatic token refresh
- Cross-tab session syncronisation
- Exposes
access_tokenas an event listener - Zero dependencies
$ npm install pkce-spaimport { Session } from "pkce-spa";
const session = new Session({ ...config });
session.onChange((accessToken) => {
// Start the redirect flow if there isn't an active session
if (accessToken === null) session.login();
});const Token = createContext();
function TokenProvider({ children }) {
const [token, setToken] = useState(null);
useEffect(() => session.onChange(setToken), []); // Will clean up effect automatically
return <Token.Provider value={token}>{children}</Token.Provider>;
}See examples for more usage examples.
- Must have
authorization_codeandrefresh_tokengrant types enabled - Must have token endpoint authentication method set to
none - Must have refresh token rotation turned on