@orangecheck/auth-core
Advanced tools
OrangeCheck session JWT primitives. Verifies oc_session tokens against the auth host's published JWKS — no env vars, no JWK handling. Re-exported by @orangecheck/me-client for integrators; also used by family consumer subdomains directly.
@orangecheck/auth-coreFull reference: docs.ochk.io/sdk/auth-core — auto-generated from the TypeScript source on every release. Hand-written prose below is the high-level overview; the docs site is the source of truth for every export, type, and signature.
Cross-subdomain session primitives for the OrangeCheck ecosystem.
A ~3 KB package that handles:
joseSessionPayload (sub, did_oc, jti, …)No React, no DB, no framework. Usable from Node, Edge, or browser.
There is one auth host (by convention https://ochk.io) that holds the
private JWK and issues tokens. Every consumer subdomain (attest.ochk.io,
lock.ochk.io, docs.ochk.io, …) only holds the public JWK and verifies
locally — no network round-trip.
The session cookie is set with Domain=.ochk.io, so once a user signs in on
any subdomain, every other subdomain sees them as signed-in immediately.
yarn add @orangecheck/auth-core
node scripts/gen-auth-keys.mjs
# → prints OC_AUTH_KID, OC_AUTH_PRIVATE_JWK, OC_AUTH_PUBLIC_JWK
OC_AUTH_PRIVATE_JWK lives only on the auth host. The public JWK + KID go on
every subdomain.
import { signSession, serializeSessionCookie } from '@orangecheck/auth-core';
const token = await signSession(
{ sub: accountId, did_oc: didOc, jti: crypto.randomUUID() },
{
kid: process.env.OC_AUTH_KID!,
privateJwk: process.env.OC_AUTH_PRIVATE_JWK!,
publicJwk: process.env.OC_AUTH_PUBLIC_JWK!,
issuer: 'https://ochk.io',
},
60 * 60 * 24 * 30
);
res.setHeader(
'Set-Cookie',
serializeSessionCookie(token, { domain: '.ochk.io', maxAge: 60 * 60 * 24 * 30 })
);
import { readSessionCookie, verifySessionToken } from '@orangecheck/auth-core';
const token = readSessionCookie(req.headers.cookie);
if (!token) return res.status(401).end();
const payload = await verifySessionToken(token, {
publicJwk: process.env.OC_AUTH_PUBLIC_JWK!,
issuer: 'https://ochk.io',
});
if (!payload) return res.status(401).end();
// payload.did_oc is the opaque user identifier (did:oc:<32-hex>).
MIT.
FAQs
OrangeCheck session JWT primitives. Verifies oc_session tokens against the auth host's published JWKS — no env vars, no JWK handling. Re-exported by @orangecheck/me-client for integrators; also used by family consumer subdomains directly.
The npm package @orangecheck/auth-core receives a total of 183 weekly downloads. As such, @orangecheck/auth-core popularity was classified as not popular.
We found that @orangecheck/auth-core demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Product
Socket MCP now lets AI assistants review org alerts, investigate threats using the Socket threat feed, and inspect package files in addition to dependency scoring.
Product
Socket Firewall blocks malicious VS Code and Open VSX extensions before install, protecting developers from compromised editor marketplaces.
Research
More than 140 Mastra npm packages were compromised in a supply chain attack that used a typosquatted dependency to deliver a cross-platform infostealer during installation.