WhenDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/strophe/strophejs/llms.txt
Use this file to discover all available pages before exploring further.
conn.connect() is called, Strophe.js performs SASL (Simple Authentication and Security Layer) negotiation automatically. The server advertises its supported mechanisms in the <stream:features> element; Strophe.js compares that list against the mechanisms it has registered and selects the one with the highest priority that passes its test() check. Your application code does not need to drive this negotiation — but you can control which mechanisms are available and add custom ones when needed.
Default Mechanisms and Priorities
Strophe.js registers the following mechanisms by default, in descending priority order. When multiple mechanisms are mutually supported, the one with the highest priority wins:SCRAM-SHA-512 — Priority 72
SCRAM-SHA-512 — Priority 72
The strongest SCRAM variant available by default. Uses SHA-512 as the hash function. Client and server mutually authenticate: the server proves it knows the password-derived key without ever seeing the password in plaintext.Exported as
Strophe.SASLSHA512. Requires the server to advertise SCRAM-SHA-512.SCRAM-SHA-384 — Priority 71
SCRAM-SHA-384 — Priority 71
SCRAM using SHA-384. Selected when the server supports it but not SHA-512.Exported as
Strophe.SASLSHA384.SCRAM-SHA-256 — Priority 70
SCRAM-SHA-256 — Priority 70
SCRAM using SHA-256. Widely supported and a good practical minimum for new deployments.Exported as
Strophe.SASLSHA256.SCRAM-SHA-1 — Priority 60
SCRAM-SHA-1 — Priority 60
The original SCRAM mechanism from RFC 5802. Still supported by most servers. Prefer a SHA-256 or stronger variant when available.Exported as
Strophe.SASLSHA1.PLAIN — Priority 50
PLAIN — Priority 50
Sends credentials as a plaintext base64-encoded string. Should only be used over a TLS-protected transport (
wss:// or https://). Requires connection.authcid to be non-null (i.e. a JID with a node part must be supplied).Exported as Strophe.SASLPlain.OAUTHBEARER — Priority 40
OAUTHBEARER — Priority 40
RFC 7628 OAuth 2.0 Bearer token authentication. Pass the access token as the
password argument to conn.connect(). Strophe.js packages it in the correct n,,\u0001auth=Bearer <token> format.Exported as Strophe.SASLOAuthBearer.X-OAUTH2 — Priority 30
X-OAUTH2 — Priority 30
A non-standard OAuth2 variant used by some servers (notably older Google Talk / Jabber infrastructure). Prefer
OAUTHBEARER for standards-compliant deployments.Exported as Strophe.SASLXOAuth2.ANONYMOUS — Priority 20
ANONYMOUS — Priority 20
RFC 4616 anonymous authentication. No JID node is required: pass only a domain as the JID (e.g.
example.com). The server assigns a temporary JID for the session. connection.authcid must be null, which happens when no node part is in the supplied JID.Exported as Strophe.SASLAnonymous.EXTERNAL — Priority 10
EXTERNAL — Priority 10
Used with client-certificate TLS authentication. The client’s identity is asserted by the TLS layer; SASL EXTERNAL simply tells the server to accept that identity. If
authcid equals authzid, Strophe.js sends an empty response (indicating “use the identity from the certificate”). Otherwise it sends authzid to request authorization as a different JID.Exported as Strophe.SASLExternal.Authentication Status Flow
The connection callback will receive these status values during a normal authentication sequence:AUTHENTICATING (3)
SASL negotiation is underway. Strophe.js has selected a mechanism and is exchanging challenge/response messages with the server.
Restricting Available Mechanisms
Pass amechanisms array to the ConnectionOptions to limit which SASL mechanisms Strophe.js will offer during negotiation. Only the constructors you list will be registered — all others are ignored:
conn.connect() will fail with AUTHFAIL and the error condition 'no-auth-mech'.
Disabling a Specific Mechanism
To prevent a mechanism from being used without replacing the entire list, override itstest() method to return false. Strophe.js calls test() before selecting a mechanism, so returning false effectively disables it:
ANONYMOUS Authentication
For guest sessions that do not require a user account, use SASL ANONYMOUS. Pass only the server domain (no node part) as the JID toconnect(). Strophe.js detects that authcid is null and the SASLAnonymous.test() method returns true:
EXTERNAL (Certificate) Authentication
SASL EXTERNAL is used when the client’s identity is established by the TLS layer (e.g. a client certificate). Pass the JID and any optionalauthcid value to influence whether an authorization identity is sent:
Explicit Resource Binding
By default, Strophe.js callsconn.bind() automatically as soon as the server advertises the urn:ietf:params:xml:ns:xmpp-bind stream feature after authentication. If you need to perform other stream-level setup first (for example, activating XEP-0198 Stream Management), set explicitResourceBinding: true in ConnectionOptions. The connection callback will then receive Strophe.Status.BINDREQUIRED (11) instead of proceeding to binding automatically:
Writing a Custom SASL Mechanism
SubclassSASLMechanism to implement a proprietary or non-standard mechanism. Override test() to indicate when the mechanism can run and onChallenge() to produce the client’s response string:
SASLMechanism Lifecycle Methods
Sets the mechanism name (must match the server-advertised string), whether the client sends data first before receiving a challenge, and the priority used for selection.
Called before selection. Return
false to prevent this mechanism from being used on this connection.Called once when the mechanism is selected and negotiation begins. Stores the connection reference internally.
Called when
isClientFirst is true to get the client’s initial message. Defaults to delegating to onChallenge().Called each time the server sends a challenge. Return the client’s response string. May be async (return a
Promise). Throw or return false to signal failure.Called when the server signals authentication success. Clears the internal connection reference.
Called when the server signals authentication failure. Clears the internal connection reference.
SCRAM Key Caching
After a successful SCRAM authentication, Strophe.js stores the derived client and server keys inconnection.scram_keys. On subsequent connections you can pass these pre-derived keys as the password object to skip the expensive key derivation step:
{ name: string, ck: string, sk: string, iter: number, salt: string } where name is the hash algorithm name, ck is the base64-encoded client key, sk is the base64-encoded server key, iter is the iteration count, and salt is the base64-encoded salt.