Hey everyone. Just wondering wether anyone has used Descope with Sveltekit?

Hey @wide-vegetable-84340 We don't have any Sveltekit SDK at the moment, but did you try to use

web-js-sdk

? Also, are you planning to use Flows ? or API/SDK for authentication ? If you tried any, did you find any issue? errors ?

Thanks for the reply. So I tried method number 2 in the docs. I have got the web-js-sdk and the node-sdk for frontend side and server side. So far I have zero issues sending the email for signup and signin and then verifying the link and the web-js-sdk setting the cookie as it should. I am finding it difficult to implement the verification of the session with the node-sdk on the server hooks function which runs before anything happens in a Sveltekit project. Not sure if I am doing something wrong or I am misunderstanding the documentation. What I understand from the documentation is the web-js-sdk will send the email and verify the token but cannot actually verify the session and this is why I need the node-sdk fo that verification. Once I am able to verify the session and grab maybe the tenant and roles from the session cookie, I will be able to continue implementing my other logic.

@few-holiday-24516 @great-diamond-35515 can you help here ?

Hi @wide-vegetable-84340 Currently the session validation can be done via the Node SDK, You can see an example here

from the conversation above - I understand you are implementing magic link, and you are facing an issue with how to verify the magic link token that is in the mail, is that correct? I’m not familiar with Svelte/Sveltekit, what is the issue? passing the token to the server? or validating it in the server?

@wide-vegetable-84340 would you like to setup some zoom session on Sunday to go over this ?

Hi guys I got the authentication working, but I am not getting my refresh token set by the client SDK, but that could be because of working on localhost?

it is possible, how do y ou manage tokens? session on cookie?

Via cookies

So if you are using the webjs-sdk, then you need to pass few parameters for auto-refresh and also need to call refresh once after successful flow completion.

This is my current test code for now import { descope } from '$lib/auth/descope'; // loginId: email or phone - becomes the loginId for the user from here on and also used for delivery let email = ''; // uri: (Optional) this is the link that user is sent (code appended) for verification. Your application needs to host this page and extract the token for verification. The token arrives as a query parameter named 't' const verify_uri = "https://rapyd.group/auth/verify" // deliveryMethod: Delivery method to use to send magic-link. Supported values include "email" or "sms" const deliveryMethod = "email" let message = ''; async function handleMagicLinkLogin() { try { const response = await descope.magicLink.signIn[deliveryMethod](email, verify_uri); if (response.ok) { message = `A magic link has been sent to ${email}!`; } else { message = `Failed to send magic link to ${email}: ${response.error.message}`; } } catch (error) { console.error('An unexpected error occurred:', error); message = 'An unexpected error occurred. Please try again later.'; } }

and call

sdk.refresh()

after successful login.

I changed sdk to descope, so it would be descope.refresh()?

yes

with this persistTokens: true, autoRefresh: true, does that automatically create the two session cookies?

yes that should happen if you set the manage of tokens in cookies

I changed initialization code to import descopeSdk from '@descope/web-js-sdk'; const projectId = 'P2LoVT8OgsO2b4zD4fPwbTtzASNT'; const descope = descopeSdk({ projectId, persistTokens: true, autoRefresh: true }); export { descope }; And added descope.refresh() under my magic link verification, but it did not do anything. Could it be working on localhost? const resp = await descope.magicLink.verify(token); descope.refresh();

So if I understand correctly, you are not seeing cookie for token on localhost? Do you see them in localstorage?

I don't see them in either

We might need to see this on a zoom.. let me dm you.

Hi guys, I jumped back in with development and decided to jump straight into using the API directly and when verifying a magic link token I got the same response with no refresh token being given in the response. This is the endpoint: https://api.descope.com/v1/auth/magiclink/verify This is the response I got: *{*"sessionJwt": "eyJhbGciOiJSUzI1NiIsImtpZCI6IlAyTG9WVDhPZ3NPMmI0ekQ0ZlB3YlR0ekFTTlQiLCJ0eXAiOiJKV1QifQ.eyJhbXIiOlsiZW1haWwiXSwiZHJuIjoiRFMiLCJleHAiOjE2ODI0MjY5ODEsImlhdCI6MTY4MjQyNjM4MSwiaXNzIjoiUDJMb1ZUOE9nc08yYjR6RDRmUHdiVHR6QVNOVCIsInJleHAiOiIyMDIzLTA1LTIzVDEyOjM5OjQxWiIsInN1YiI6IlUyTnYydWU2RHlzbVJRRXpmZXBmcGJvU0NlY28iLCJ0ZW5hbnRzIjp7IlQyT3M2NmZwTHBySnFLMmdlRHhObEZOZTVZV1IiOnsicGVybWlzc2lvbnMiOlsiU1NPIEFkbWluIiwiVXNlciBBZG1pbiJdLCJyb2xlcyI6WyJUZW5hbnQgQWRtaW4iXX19fQ.xHpeMp2_mxbT0meyngqFJUvGQenoq6VsAKzrLb9xXSKSDtFOjSI1uGDROcN3W4GE_g0XSzA5FlV1CM4ruCwlXuDb425a9Z7FfzRFnnR2ruU-lIv1XxQSMZtx1swcNbkZnpUPKiB-F4GCV5amR2bBnZrTwzjYBOVzjsRqnNPSBCkcjQu64d4AtX7OGkIGw_xpYCQmjn01aRR6rpcJeAPM_5RMDf2Tz34c2-LOlTDJqtUmeejHoB0gQNuC5hhYWAy6SWp2zprQpZEBPnvH2f_4en1Bf_KrNRyUW-OSEGo-_Kz1FzptuH0KP3F3Pli5h27dXtWediXmXotzq2Egqd8UJQ", "refreshJwt": "", "cookieDomain": "rapyd.group, localhost", "cookiePath": "/", "cookieMaxAge": 2419199, "cookieExpiration": 1684845581, "user": *{*"loginIds": *[*"simon@rapyd.group" ], "userId": "U2Nv2ue6DysmRQEzfepfpboSCeco", "name": "Simon Williams", "email": "simon@rapyd.group", "phone": "27684122631", "verifiedEmail": true, "verifiedPhone": false, "roleNames": [], "userTenants": *[{*"tenantId": "T2Os66fpLprJqK2geDxNlFNe5YWR", "roleNames": *[*"Tenant Admin" ] } ], "status": "enabled", "externalIds": *[*"simon@rapyd.group" ], "picture": "", "test": false, "customAttributes":

Copy code

{}

, "createdTime": 1680530458 }, "firstSeen": false } Is there a reason that I am not getting a refreshJWT?

plz don't post JWT in public channel

@square-vr-55083 I am not worried about security at the moment, just want to get this working... On the project settings do you mean on the descope dashboard side?

can you change to the other option, instead of cookies, use

Manage in response body

So that worked and I get the refresh token. How come it doesn't work on cookie where I need it to work for production?

because if you decide to store in cookies, you get 2 cookies, 1 is for access token (called DS) and 1 for refresh token (DSR)

It is really odd because when I have used the SDK approach combining the webjs and backend SDK I only ever got the access token but not the refresh token. It could be a Sveltekit thing as I have run into some weird quirks with it, but I am beginning to think not. Is it at all safe to not use the cookie method?

it is safe to use not use cookie, but in general storing in cookies is considered safer

I can just store them as cookies anyway using the direct API. My next question would be how to use https://api.descope.com/v2/keys/{projectId} api to actually validate the session token? Would I use "n" in the "keys" object?

session validation you usually want to do on your backend, for example : https://docs.descope.com/build/guides/session/#validate-session