RootAuth API Mode provides a pre-packaged frontend API interface without any UI. You are free to implement login, registration, and other pages according to your own design style, and call the SDK to complete the authentication logic.
1. Preparation
Create an application in the RootAuth Console and copy the app_id (format: app_******).
2. Prerequisite
Please add the following configuration line to the .npmrc file in the project root directory:
@rootauth:registry=http://gitlab.standard-software.co/api/v4/projects/12421/packages/npm/
3. Install the SDK
Run the following command in your project root directory to install the dependency package:
npm install @rootauth/core
4. Create a RootAuthClient Instance
Create an instance in your entry file (e.g., main.js):
// main.js
import { RootAuthClient, type RootAuthClientConfig } from '@rootauth/core'
const options: RootAuthClientConfig = {
app_id: 'app_******', // Required: app_id generated from the workspace
}
const client = new RootAuthClient(options)
4.1 Complete Configuration Options
RootAuthClientConfig
interface RootAuthClientConfig {
app_id: string // Required: obtained from the workspace application configuration
api_base_url?: string // Backend API endpoint path, defaults to https://rootauth-api.rootauth.com
redirect_uri?: string // Redirect path after successful login, defaults to location.origin
state?: string // Custom parameter, returned as-is by the API
locale?: string // Current language, defaults to zh-CN; currently supports zh-CN, en-US
scope?: string[] // Scope mapping, defaults to ['openid']; add fields like avatar, username here
grant_type?: string // Authorization mode, defaults to authorization_code
enable_google_one_tap?: boolean // Enable Google One Tap login, defaults to false
}
Note: The mode parameter is deprecated in this version and should not be passed.
5. Inject the Global Instance
(Using Nuxt as an example)
For other frameworks (Vue, React, etc.), you can follow a similar approach and mount the client globally.
5.1 Create the Plugin File
plugins/rootauth.client.ts:
// plugins/rootauth.client.ts
import { RootAuthClient, type RootAuthClientConfig } from '@rootauth/core'
export default defineNuxtPlugin(() => {
const options: RootAuthClientConfig = {
app_id: 'app_******', // Required: app_id generated from the workspace
}
const client = new RootAuthClient(options)
return {
provide: {
rootauth: client,
},
}
})
5.2 Register the Plugin
nuxt.config.ts:
// nuxt.config.ts
export default defineNuxtConfig({
plugins: [
'@/plugins/rootauth.client.ts',
]
})
5.3 Access the Instance in a Component
const { $rootauth } = useNuxtApp()
$rootauth?.xxx()
5.4 Wrap in a Composable (Recommended)
composables/useRootAuth.ts:
// composables/useRootAuth.ts
import type { RootAuthClient } from '@rootauth/core'
/** RootAuth client (injected by `plugins/rootauth.client` when `ROOTAUTH_APP_ID` is configured) */
export function useRootAuth(): RootAuthClient | undefined {
return useNuxtApp().$rootauth as RootAuthClient | undefined
}
Usage:
const rootauth = useRootAuth()
rootauth?.xxx()
6. General Notes
-
Form validation: RootAuth does not perform frontend validation. Please validate before calling the API.
-
Password encryption: Only plaintext passwords are required; the SDK will encrypt them automatically.
-
Callback override: The second parameter callbacks of each method can accept onSuccess, which completely overrides the SDK’s default behavior. If you only need to add extra logic (e.g., closing a loading indicator), use the Promise chain (.then() / .catch()) directly without passing the second parameter.
-
Success / failure handling: Failed requests uniformly use Promise reject. Both success and failure responses include a rootauth_message object (containing type and msg), which is internationalized (Chinese/English). API mode does not automatically show any UI prompts; you must handle error displays yourself.
7. API Method Details
7.1 Login
This interface is also used when the workspace option “Combine Login and Registration” is selected.
const rootauth = useRootAuth()
interface LoginParams {
type: string // Required: login method: EMAIL_PASS|EMAIL_CODE|PHONE_PASS|PHONE_CODE. Currently supports EMAIL_PASS (email+password), EMAIL_CODE (email verification code), PHONE_CODE (phone verification code), PHONE_PASS (phone+password)
email: string // Required: user email
password?: string // Required when type is EMAIL_PASS/PHONE_PASS; note: only plaintext password is required, RootAuth handles encryption
code?: string // Required when type is EMAIL_CODE/PHONE_CODE
redirect_uri?: string // Redirect path after login; recommended to omit and use the global redirect_uri
scope?: string[] // Scope mapping; recommended to omit and use the global scope
state?: string // Custom parameter, returned as-is; recommended to omit and use the global state
grant_type?: string // Authorization mode; recommended to omit and use the global grant_type
}
// Second parameter of the login method
interface RootAuthFlowCallbacks<T = unknown> {
onSuccess?: (data: T) => void
}
// Success/failure response includes this message for user display
type RootAuthClientSuccessResponse {
rootauth_message?: {
type: string // success, error, warning
msg: string // Prompt text, already internationalized
}
}
// Available type
rootauth?.login(
params: LoginParams,
callbacks?: RootAuthFlowCallbacks<RootAuthClientSuccessResponse<CustomerLoginResponse>>,
)
.then((res) => {
// Add your own logic based on RootAuth's default behavior
})
.catch((err) => {
// Handle request failures here
console.log('err', err)
})
.finally(() => {
// Close loading indicator, etc.
})
Example of overriding default behavior (passing the second parameter):
const handleSubmit = () => {
// User handles pre-validation
loading.value = true
rootauth?.login({
type: 'EMAIL_PASS',
email: '123456@qq.com',
password: '123456'
},
{
onSuccess: (res) => {
// Custom login success callback, including notifications, etc.
if (res.rootauth_message.msg) {
message[res.rootauth_message.type || 'success'](
res.rootauth_message.msg
)
}
}
})
.catch(err => {
// Handle request failures here
if (err.rootauth_message.msg) {
message[err.rootauth_message.type || 'error'](
err.rootauth_message.msg
)
}
})
.finally(() => {
loading.value = false
})
}
7.2 Register
interface RegisterParams {
type?: string // Registration type: EMAIL_CODE_PASS|PHONE_CODE_PASS. Defaults to EMAIL_CODE_PASS (email verification code). Supports EMAIL_CODE_PASS and PHONE_CODE_PASS (SMS verification code)
email?: string // User email, required when type=EMAIL_CODE_PASS
code: string // Required: email/phone activation code
password: string // Required: password; note: only plaintext password is required, RootAuth handles encryption
phone_code?: string // Phone country code, required when type=PHONE_CODE_PASS, e.g., '86'
phone_num?: string // Phone number, required when type=PHONE_CODE_PASS
redirect_uri?: string // Redirect path after login; recommended to omit and use the global redirect_uri
scope?: string[] // Scope mapping; recommended to omit and use the global scope
state?: string // Custom parameter, returned as-is; recommended to omit and use the global state
grant_type?: string // Authorization mode; recommended to omit and use the global grant_type
}
// Same as the second parameter of the login method
interface RootAuthFlowCallbacks<T = unknown> {
onSuccess?: (data: T) => void
}
// Success/failure response includes this message for user display, same as login
type RootAuthClientSuccessResponse {
rootauth_message?: {
type: string // success, error, warning
msg: string // Prompt text, already internationalized
}
}
const params: RegisterParams = {
email: '123456@qq.com',
password: '123456',
code: '123456',
}
rootauth?.register(params)
.then((res) => {
// Add your own logic based on RootAuth's default behavior
})
.catch((err) => {
console.error(err)
})
.finally(() => {
})
7.3 Send Verification Code
interface SendCodeParams {
type?: string // Verification code type: EMAIL|PHONE_TEXT. Defaults to EMAIL. Supports EMAIL and PHONE_TEXT (SMS)
email?: string // User email, required when type=EMAIL
email_template_type?: string // Template type, required when type=EMAIL. Values: register_code|login_code|reset_pass_code|login_mfa_code. register_code and login_mfa_code: registration code; login_code: login code; reset_pass_code: password reset code; login_mfa_code: MFA login code
phone_code?: string // Phone country code, required when type=PHONE_TEXT, e.g., '86'
phone_num?: string // Phone number, required when type=PHONE_TEXT
phone_text_template_type?: string // SMS template, required when type=PHONE_TEXT. Values: register_code|login_code|reset_pass_code|login_mfa_code. Supports register_code, login_code, reset_pass_code, login_mfa_code
redirect_uri?: string // Redirect path after login; recommended to omit and use the global redirect_uri
scope?: string[] // Scope mapping; recommended to omit and use the global scope
state?: string // Custom parameter, returned as-is; recommended to omit and use the global state
grant_type?: string // Authorization mode; recommended to omit and use the global grant_type
}
// Same as the second parameter of the login method
interface RootAuthFlowCallbacks<T = unknown> {
onSuccess?: (data: T) => void
}
// Success/failure response includes this message for user display, same as login
type RootAuthClientSuccessResponse {
rootauth_message?: {
type: string // success, error, warning
msg: string // Prompt text, already internationalized
}
}
const params: SendCodeParams = {
email: '123456@qq.com',
email_template_type: 'register_code'
}
rootauth?.sendCode(params)
.then((res) => {
// Add your own logic based on RootAuth's default behavior
})
.catch((err) => {
console.error(err)
})
.finally(() => {
})
Note: Verification codes have a 60‑second cooldown. Please implement a countdown timer yourself.
7.4 Reset Password
interface ResetPasswordUParams {
type?: string // Verification code type: EMAIL_CODE|PHONE_CODE. Defaults to EMAIL_CODE. Supports EMAIL_CODE and PHONE_CODE
email?: string // Email, required when type=EMAIL_CODE
password: string // New password; note: only plaintext password is required, RootAuth handles encryption
password_confirmation: string // Confirm password; note: only plaintext password is required, RootAuth handles encryption
code: string
phone_code?: string // Phone country code, required when type=PHONE_CODE, e.g., '86'
phone_num?: string // Phone number, required when type=PHONE_CODE
redirect_uri?: string // Redirect path after login; recommended to omit and use the global redirect_uri
scope?: string[] // Scope mapping; recommended to omit and use the global scope
state?: string // Custom parameter, returned as-is; recommended to omit and use the global state
grant_type?: string // Authorization mode; recommended to omit and use the global grant_type
}
// Same as the second parameter of the login method
interface RootAuthFlowCallbacks<T = unknown> {
onSuccess?: (data: T) => void
}
// Success/failure response includes this message for user display, same as login
type RootAuthClientSuccessResponse {
rootauth_message?: {
type: string // success, error, warning
msg: string // Prompt text, already internationalized
}
}
const params: ResetPasswordUParams = {
email: '123456@qq.com',
password: '123456',
password_confirmation: '123456',
code: '111111'
}
rootauth?.resetPassword(params)
.then((res) => {
// Add your own logic based on RootAuth's default behavior
})
.catch((err) => {
console.error(err)
})
.finally(() => {
})
7.5 Third‑Party Login
interface ThirdPartyLoginParams {
auth_by: string // Third-party type: google_oauth|telegram|facebook. google_oauth: Google login, telegram: Telegram login, facebook: Facebook login
redirect_uri?: string // Redirect path after login; recommended to omit and use the global redirect_uri
scope?: string[] // Scope mapping; recommended to omit and use the global scope
state?: string // Custom parameter, returned as-is; recommended to omit and use the global state
grant_type?: string // Authorization mode; recommended to omit and use the global grant_type
response_type?: string // Response type, defaults to 'code'
}
// Success/failure response includes this message for user display, same as login
type RootAuthClientSuccessResponse {
rootauth_message?: {
type: string // success, error, warning
msg: string // Prompt text, already internationalized
}
}
const params: ThirdPartyLoginParams = {
auth_by: 'google_oauth',
redirect_uri: '****/search'
}
rootauth?.thirdPartyLogin(params)
.then((res) => {
// Add your own logic based on RootAuth's default behavior
})
.catch((err) => {
console.error(err)
})
.finally(() => {
})
7.6 Google One Tap Login
You need to enable the enable_google_one_tap: true option when creating the instance.
const options: RootAuthClientConfig = {
app_id: 'app_******', // Required: app_id generated from the workspace
enable_google_one_tap: true // Set to true to enable One Tap login
}
const client = new RootAuthClient(options)
client?.googleOneTapLogin()
7.7 MFA Two‑Factor Verification
When email verification, OTP verification, or SMS verification is enabled in the workspace, the login API will return mfa_token and mfa_methods when logging in with email/password. Based on the mfa_methods hints, call verifyLoginMfa to complete verification.
Meanings of returned mfa_methods values:
Call the verification interface:
interface LoginMfaVerifyParams {
mfa_token: string // mfa_token returned by the login API
mfa_type: string // MFA type: EMAIL|EMAIL_BIND|TOTP_BIND|TOTP|PHONE_CODE|PHONE_CODE_BIND. EMAIL: email authentication; EMAIL_BIND: email binding; TOTP_BIND: first‑time OTP authenticator binding; TOTP: OTP verification (authenticator already bound); PHONE_CODE: phone authentication; PHONE_CODE_BIND: phone binding
code: string // When mfa_type=EMAIL/EMAIL_BIND, code is the email verification code; when mfa_type=TOTP/TOTP_BIND, code is the authenticator code; when mfa_type=PHONE_CODE/PHONE_CODE_BIND, code is the SMS verification code
totp_bind_code?: string // When mfa_type=TOTP_BIND, the email/phone verification code to be entered
email?: string // Email, required when type=EMAIL_BIND
phone_code?: string // Phone country code, required when type=PHONE_CODE_BIND, e.g., '86'
phone_num?: string // Phone number, required when type=PHONE_CODE_BIND
redirect_uri?: string // Redirect path after login; recommended to omit and use the global redirect_uri
scope?: string[] // Scope mapping; recommended to omit and use the global scope
state?: string // Custom parameter, returned as-is; recommended to omit and use the global state
grant_type?: string // Authorization mode; recommended to omit and use the global grant_type
response_type?: string // Response type, defaults to 'code'
}
// Same as the second parameter of the login method
interface RootAuthFlowCallbacks<T = unknown> {
onSuccess?: (data: T) => void
}
// Success/failure response includes this message for user display, same as login
type RootAuthClientSuccessResponse {
rootauth_message?: {
type: string // success, error, warning
msg: string // Prompt text, already internationalized
}
}
const params: LoginMfaVerifyParams = {
mfa_token: 'fsdfsdf',
mfa_type: 'EMAIL',
code: '123456',
email_code: '123456'
}
rootauth?.verifyLoginMfa(params)
.then((res) => {
// Add your own logic based on RootAuth's default behavior
})
.catch((err) => {
console.error(err)
})
.finally(() => {
})
7.8 Other Utility Methods
;}.cls-2{fill:%230868f7;}.cls-3{fill:url(%23未命名的渐变_44);}.cls-4{fill:%23333;}%3c/style%3e%3clinearGradient%20id='未命名的渐变_8'%20x1='33.73'%20y1='100.61'%20x2='-0.03'%20y2='-1.06'%20gradientUnits='userSpaceOnUse'%3e%3cstop%20offset='0'%20stop-color='%237ae9fb'/%3e%3cstop%20offset='0.67'%20stop-color='%232b90f8'/%3e%3cstop%20offset='1'%20stop-color='%230868f7'/%3e%3c/linearGradient%3e%3clinearGradient%20id='未命名的渐变_44'%20x1='27.86'%20y1='18.67'%20x2='68.36'%20y2='22.22'%20gradientUnits='userSpaceOnUse'%3e%3cstop%20offset='0'%20stop-color='%235ac7f2'/%3e%3cstop%20offset='1'%20stop-color='%230868f7'/%3e%3c/linearGradient%3e%3c/defs%3e%3cpath%20class='cls-1'%20d='M29,28.74V81.91l-9.51-3.68v0L8.52,74A7.17,7.17,0,0,1,4,67.32V24.54A3.76,3.76,0,0,1,9.08,21Z'/%3e%3cpath%20class='cls-2'%20d='M68.09,78.07a13.15,13.15,0,0,1-17.9,12.06L29,81.91h0V28.74L50.19,37A13.17,13.17,0,0,0,68.08,25.3h0Z'/%3e%3cpath%20class='cls-3'%20d='M68.08,25.3a13.19,13.19,0,0,1-6.73,10.87A13.09,13.09,0,0,1,50.19,37L29,28.74V6A3.76,3.76,0,0,1,34.1,2.52l25.59,9.91A13.22,13.22,0,0,1,68.08,25.3Z'/%3e%3cpath%20class='cls-4'%20d='M129.06,81.76a4.33,4.33,0,0,1-3.19-1.31,4.4,4.4,0,0,1-1.31-3.24V56.86H97.65V77.21a4.36,4.36,0,0,1-1.35,3.2A4.68,4.68,0,0,1,93,81.76a4.32,4.32,0,0,1-3.19-1.31,4.37,4.37,0,0,1-1.32-3.24V27.27A4.58,4.58,0,0,1,89.83,24a4.59,4.59,0,0,1,7.82,3.27V48.15h26.91V27.27A4.58,4.58,0,0,1,125.91,24a4.59,4.59,0,0,1,7.82,3.27V77.21a4.37,4.37,0,0,1-1.36,3.2A4.65,4.65,0,0,1,129.06,81.76Z'/%3e%3cpath%20class='cls-4'%20d='M163.77,81.66c-6.57,0-11.76-1.92-15.44-5.7s-5.54-9.07-5.54-15.74a26.76,26.76,0,0,1,2.09-10.43,17.72,17.72,0,0,1,6.67-8.06,19.15,19.15,0,0,1,10.68-2.95,19,19,0,0,1,10.46,2.8,18.7,18.7,0,0,1,6.55,7.36,22.53,22.53,0,0,1,2.36,10.28A4.51,4.51,0,0,1,177,63.77H152.23a10.8,10.8,0,0,0,3.49,6.65c2,1.68,4.88,2.52,8.66,2.52a22.25,22.25,0,0,0,7.54-1.21c.74-.3,1.55-.67,2.37-1.07a3.75,3.75,0,0,1,1.84-.4,4.09,4.09,0,0,1,3,1.15,4,4,0,0,1,1.12,3,4.38,4.38,0,0,1-2.58,3.82,32.34,32.34,0,0,1-6.36,2.61A28.67,28.67,0,0,1,163.77,81.66ZM172.4,55.9a9.72,9.72,0,0,0-1.63-4.56A9.9,9.9,0,0,0,167,48a10.38,10.38,0,0,0-4.64-1.14,12,12,0,0,0-4.77,1.06,9.54,9.54,0,0,0-4.89,5.66,11.78,11.78,0,0,0-.51,2.3Z'/%3e%3cpath%20class='cls-4'%20d='M193,81.64a4.49,4.49,0,0,1-4.51-4.55V27.28A4.58,4.58,0,0,1,189.84,24a4.48,4.48,0,0,1,3.28-1.36A4.36,4.36,0,0,1,196.35,24a4.46,4.46,0,0,1,1.31,3.31V77.09a4.34,4.34,0,0,1-1.35,3.2A4.67,4.67,0,0,1,193,81.64Z'/%3e%3cpath%20class='cls-4'%20d='M263.79,81.71a5.7,5.7,0,0,1-4.2-1.74,5.76,5.76,0,0,1-1.73-4.19V27.37a4.58,4.58,0,0,1,1.35-3.27A4.59,4.59,0,0,1,267,27.37V72.53h24a4.58,4.58,0,0,1,3.27,7.82A4.66,4.66,0,0,1,291,81.71Z'/%3e%3cpath%20class='cls-4'%20d='M424.48,81.74a4.71,4.71,0,0,1-2.71-.88,5.43,5.43,0,0,1-1-1l-.07-.09-12.41-17-5.41,5v9.44a4.31,4.31,0,0,1-1.36,3.19,4.66,4.66,0,0,1-3.3,1.36A4.29,4.29,0,0,1,395,80.42a4.36,4.36,0,0,1-1.32-3.23V27.37A4.58,4.58,0,0,1,395,24.1a4.52,4.52,0,0,1,6.58.12,4.54,4.54,0,0,1,1.24,3.15V56.31l17.72-16.38.05,0a4.8,4.8,0,0,1,2.94-1.11,4.4,4.4,0,0,1,3.27,1.2,4.57,4.57,0,0,1,1.2,3.27,4.44,4.44,0,0,1-.77,2.33,7.45,7.45,0,0,1-1.43,1.65l-11,9.64,13.34,17.68a5,5,0,0,1,1,2.71,4.12,4.12,0,0,1-1.36,3.24A4.64,4.64,0,0,1,424.48,81.74Z'/%3e%3cpath%20class='cls-4'%20d='M317.93,81.76a21.5,21.5,0,1,1,21.17-21.5A21.37,21.37,0,0,1,317.93,81.76Zm0-34.1a12.61,12.61,0,1,0,12.42,12.6A12.52,12.52,0,0,0,317.93,47.66Z'/%3e%3cpath%20class='cls-4'%20d='M212.18,101.22a4.12,4.12,0,0,1-3.05-1.26,4.17,4.17,0,0,1-1.26-3.1V43.34a4.37,4.37,0,0,1,1.3-3.14,4.26,4.26,0,0,1,3.13-1.3,4.19,4.19,0,0,1,3.1,1.26,4.32,4.32,0,0,1,1.26,3.16,20.77,20.77,0,0,1,13-4.54,21.51,21.51,0,0,1,0,43,20.51,20.51,0,0,1-13-4.57V96.86a4.15,4.15,0,0,1-1.3,3.06A4.5,4.5,0,0,1,212.18,101.22Zm17.43-53.63c-6.23,0-12.93,4.11-12.93,12.72a12.73,12.73,0,0,0,25.46,0A12.71,12.71,0,0,0,229.61,47.59Z'/%3e%3cpath%20class='cls-4'%20d='M365.76,81.76a21.5,21.5,0,1,1,21.18-21.5A21.37,21.37,0,0,1,365.76,81.76Zm0-34.1a12.61,12.61,0,1,0,12.42,12.6A12.52,12.52,0,0,0,365.76,47.66Z'/%3e%3c/svg%3e)