Reference
IdP Configuration
Complete configuration reference for @openape/nuxt-auth-idp.
IdP Configuration
All configuration options for the @openape/nuxt-auth-idp Nuxt module.
Module Options
Configure in nuxt.config.ts under the openapeIdp key:
export default defineNuxtConfig({
modules: ['@openape/nuxt-auth-idp'],
openapeIdp: {
rpName: 'My IdP',
rpID: 'id.example.com',
rpOrigin: 'https://id.example.com',
managementToken: process.env.MANAGEMENT_TOKEN,
sessionSecret: process.env.SESSION_SECRET
}
})
Core Options
| Option | Type | Default | Env Var | Description |
|---|---|---|---|---|
rpName | string | '' | NUXT_OPENAPE_IDP_RP_NAME | WebAuthn relying party name (shown during registration) |
rpID | string | '' | NUXT_OPENAPE_IDP_RP_ID | WebAuthn relying party ID (usually the domain, e.g., id.example.com) |
rpOrigin | string | '' | NUXT_OPENAPE_IDP_RP_ORIGIN | WebAuthn relying party origin (full URL, e.g., https://id.example.com) |
issuer | string | '' | NUXT_OPENAPE_IDP_ISSUER | OAuth issuer URL (defaults to rpOrigin if not set) |
managementToken | string | '' | NUXT_OPENAPE_IDP_MANAGEMENT_TOKEN | Management API token for admin operations |
adminEmails | string | '' | NUXT_OPENAPE_IDP_ADMIN_EMAILS | Comma-separated admin email addresses |
The
managementToken is the most critical security credential in an OpenApe deployment. See the Threat Model for handling guidelines.Session Options
| Option | Type | Default | Env Var | Description |
|---|---|---|---|---|
sessionSecret | string | 'change-me-...' | NUXT_OPENAPE_IDP_SESSION_SECRET | Session encryption secret (min. 32 characters) |
sessionMaxAge | number | 604800 | NUXT_OPENAPE_IDP_SESSION_MAX_AGE | Session max age in seconds (default: 7 days) |
WebAuthn Options
| Option | Type | Default | Description |
|---|---|---|---|
requireUserVerification | boolean | false | Require biometrics/PIN for every authentication |
residentKey | 'preferred' | 'required' | 'discouraged' | 'preferred' | Discoverable credential policy |
attestationType | 'none' | 'indirect' | 'direct' | 'enterprise' | 'none' | Attestation conveyance preference |
Storage Options
| Option | Type | Default | Env Var | Description |
|---|---|---|---|---|
storageKey | string | 'openape-idp' | NUXT_OPENAPE_IDP_STORAGE_KEY | Key prefix for user data storage |
Storage uses Nitro's built-in storage layer. Configure the driver in nitro.storage:
export default defineNuxtConfig({
nitro: {
storage: {
'openape-idp': {
driver: 's3',
bucket: 'my-openape-bucket',
region: 'eu-central-1'
}
}
}
})
Federation Options
| Option | Type | Default | Description |
|---|---|---|---|
federationProviders | string | '' | Federation providers as JSON string |
Grants Configuration
Configure under openapeIdp.grants:
openapeIdp: {
grants: {
enablePages: true,
storageKey: 'openape-grants'
}
}
| Option | Type | Default | Description |
|---|---|---|---|
enablePages | boolean | true | Enable /grants, /grant-approval, /enroll pages |
storageKey | string | 'openape-grants' | Key prefix for grant data storage |
Route Configuration
Control which route groups are enabled:
openapeIdp: {
routes: {
auth: true,
oauth: true,
grants: true,
admin: true,
agent: true
}
}
| Option | Type | Default | Routes |
|---|---|---|---|
auth | boolean | true | /api/logout, /api/me, /api/webauthn/*, federation routes |
oauth | boolean | true | /authorize, /token, /revoke, /.well-known/*, /userinfo |
grants | boolean | true | /api/grants/*, /api/delegations/* |
admin | boolean | true | /api/admin/users/*, /api/admin/agents/*, /api/admin/sessions/*, /api/admin/registration-urls/* |
agent | boolean | true | /api/agent/challenge, /api/agent/authenticate, /api/agent/enroll |
Set routes: false to disable all routes (useful if you only need the storage layer).
Pages
| Option | Type | Default | Description |
|---|---|---|---|
pages | boolean | true | Enable built-in pages |
Built-in pages:
/login— login form with Passkey/register— new user registration (via registration URL)/account— account management/admin— admin dashboard/grants— grant dashboard (ifgrants.enablePages)/grant-approval— approve/deny UI (ifgrants.enablePages)/enroll— agent enrollment form (ifgrants.enablePages)
Set pages: false to use your own custom pages while keeping the API routes.
Production Checklist
- Set a strong
sessionSecret(32+ random characters) - Set
managementTokento a unique, random value - Set
rpIDto your production domain - Set
rpOriginto your full production URL (withhttps://) - Configure persistent storage (S3 or filesystem — NOT the default in-memory storage)
- Set
adminEmailsto trusted administrator addresses - Never expose
managementTokenin client-side code or agent configs