OpenApe Auth

@openape/core

The foundation package. Framework-agnostic, zero dependencies.

• DNS Discovery — resolve _ddisa.{domain} TXT records to find the IdP
• PKCE — code challenge/verifier generation for secure OAuth flows
• JWT — sign, verify, and validate DDISA assertion tokens
• Types — DDISAAssertionClaims, ActorType, AuthFlowState, etc.

@openape/auth

Complete OIDC login protocol logic — both sides in one package.

IdP Side

• handleAuthorize() — validate authorization requests
• handleTokenExchange() — exchange codes for signed assertions
• issueAssertion() — create minimal AuthN-JWTs with act claim
• WebAuthn — createRegistrationOptions(), verifyRegistration(), createAuthenticationOptions(), verifyAuthentication()

SP Side

• discoverIdP() — DNS-based IdP discovery via DoH
• createAuthorizationURL() — build OAuth redirect with PKCE
• handleCallback() — exchange code, validate assertion

@openape/nuxt-auth-idp

Drop-in Nuxt module. Add it, configure it, you're an IdP.

Auto-registered routes:

• /login, /register, /account — Passkey-based UI (overridable)
• /admin — User and agent management
• /authorize, /token — OAuth endpoints
• /.well-known/jwks.json — Public key discovery
• /api/webauthn/* — Registration and login flows
• /api/admin/* — User, agent, and registration URL management

Configuration via openapeIdp in nuxt.config.ts:

openapeIdp: {
  rpName: 'My IdP',
  rpID: 'id.example.com',
  rpOrigin: 'https://id.example.com',
  requireUserVerification: true,  // NIS2 strict mode
  residentKey: 'required',        // true passkey experience
  attestationType: 'none',        // or 'direct' for enterprise
}

@openape/nuxt-auth-sp

Drop-in Nuxt module. Stateless. Zero server storage.

Auto-registered routes:

• /api/login — initiate DDISA login flow
• /api/callback — handle OAuth callback
• /api/logout — destroy session
• /api/me — current user info
• /.well-known/sp-manifest.json — SP metadata

Composable: useSpAuth() for client-side auth state.