TheDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/nuxt-alt/auth/llms.txt
Use this file to discover all available pages before exploring further.
oauth2 scheme implements the full OAuth2 authorization flow, supporting the authorization code grant with PKCE (S256 or plain), the implicit token flow, and refresh token rotation. It handles the complete redirect-and-callback lifecycle, exchanges authorization codes for access tokens, stores and renews tokens automatically, and fetches the user profile from a configurable userinfo endpoint. Use it to integrate with any standards-compliant OAuth2 provider such as GitHub, Google, Auth0, or Okta.
Configuration
nuxt.config.ts
Endpoints
The OAuth2 authorization URL. The user is redirected here to grant access. This is the only required endpoint.
The token exchange endpoint. Required when using the
authorization_code grant type. The scheme makes a POST request here to exchange an authorization code for an access token.Default: undefinedThe userinfo endpoint URL. The scheme makes an authenticated
GET request here to populate the user object after a successful token exchange. When not set, the user object is left empty.Default: undefinedThe logout redirect URL. When set, the user is redirected here (with
client_id and redirect_uri query parameters appended) on logout. Set to false or leave unset to perform only a local session reset without a provider redirect.Default: undefinedOAuth2 Flow
The OAuth2
response_type parameter sent in the authorization request. Common values are 'code' (authorization code grant), 'token' (implicit grant), 'id_token', or 'none'.Default: 'token'The OAuth2
grant_type sent during the token exchange request. Typical values are 'authorization_code', 'client_credentials', 'password', or 'refresh_token'.Default: undefinedThe JARM (JWT Secured Authorization Response Mode) mode. Accepted values are
'query.jwt', 'fragment.jwt', 'form_post.jwt', and 'jwt'. Leave unset for standard responses.Default: undefinedThe PKCE code challenge method. Use
'S256' for SHA-256 hashed challenges (recommended), 'plain' for unencoded challenges, or false to disable PKCE entirely.Default: falseThe OAuth2 scopes to request. May be provided as a space-delimited string or an array of scope names. Arrays are joined with a space before being sent to the provider.Default:
[]A custom state string included in the authorization request. When not set, a random 10-character string is generated automatically for CSRF protection.Default: auto-generated
Authentication Context Class Reference values forwarded as
acr_values in the authorization request. Used by some enterprise identity providers to request specific authentication assurance levels.Default: undefinedThe intended
audience of the access token. Required by some providers (e.g. Auth0) to scope the token to a specific API.Default: undefinedClient
Your OAuth2 application’s client ID, issued by the provider when you register the application.
Controls how the client secret is sent during the token exchange.
'body' includes it as a form field; 'aurthorization_header' uses HTTP Basic authentication.Default: 'body'The callback URI registered with the OAuth2 provider. When not set, the scheme auto-computes it from the app’s
baseURL and the redirect.callback path configured in auth.options.redirect.Default: auto-computedThe URI the provider should redirect the user to after logout. When not set, the scheme auto-computes it from the app’s origin and the
redirect.logout path.Default: auto-computedGoogle’s
access_type parameter. Use 'offline' to request a refresh token from Google’s OAuth2 server.Default: undefinedPopup Window
By default the OAuth2 scheme redirects the entire page to the provider. SettingclientWindow: true opens the provider’s authorization page in a popup instead, leaving the parent page in place. After the user approves access, the popup posts a message back to the parent and closes automatically.
When
true, opens the OAuth2 authorization flow in a popup window instead of redirecting the current page.Default: falseWidth of the popup window in pixels.Default:
400Height of the popup window in pixels.Default:
600Popup configuration example
Token
The dot-notation path in the token exchange (or refresh) response where the access token lives.Default:
'access_token'The dot-notation path in the token response for the access token’s lifetime in seconds. Used when
token.maxAge is false.Default: 'expires_in'The prefix prepended to the token value when setting the authorization header (e.g.
'Bearer mytoken123'). Set to false to send the raw token without a prefix.Default: 'Bearer'The HTTP request header used to carry the token.Default:
'Authorization'Override the token lifetime in seconds, ignoring any value returned by the server. When
false, the scheme reads token.expiresProperty from the token response instead.Default: falseWhen
true, the token is automatically attached to every outgoing HTTP request via the request interceptor.Default: trueThe key prefix used when persisting the token in storage.Default:
'_token.'The key prefix used when persisting the token expiration timestamp in storage.Default:
'_token_expiration.'When
true, the access token is expected to be managed by a server-side httpOnly cookie rather than stored in JavaScript-accessible storage.Default: falseUser
The dot-notation path within the userInfo endpoint response that contains the user object. Set to
false if the entire response body is the user object.Default: falseRefresh Token
The dot-notation path in the token exchange (or refresh) response where the refresh token lives. Set to
false if the provider does not return a refresh token.Default: 'refresh_token'The refresh token’s lifetime in seconds. Used to determine when the refresh token itself has expired and a new authorization flow is required.Default:
2592000 (30 days)The key prefix used when persisting the refresh token in storage.Default:
'_refresh_token.'The key prefix used when persisting the refresh token expiration timestamp in storage.Default:
'_refresh_token_expiration.'When
true, the refresh token is expected to be stored in a server-managed httpOnly cookie. The scheme omits the refresh token from request bodies, relying on the browser to send the cookie automatically.Default: falseOther Options
When
true, the scheme resets the session on mount if the access token has expired and cannot be refreshed (e.g. the refresh token has also expired or is unavailable).Default: falseAn organization identifier forwarded as the
organization parameter in the authorization request. Used by Auth0 and some Okta configurations.Default: undefinedTriggering Login Programmatically
CallingloginWith on an OAuth2 strategy initiates the provider redirect (or popup). No credentials are needed — the provider handles authentication:
The OAuth2 callback route (default:
/login) must be publicly accessible without authentication. Mark the page with definePageMeta({ auth: false }) to prevent the auth middleware from redirecting unauthenticated users away before the callback can be processed.