Reference
SP Configuration
Complete configuration reference for @openape/nuxt-auth-sp.
SP Configuration
All configuration options for the @openape/nuxt-auth-sp Nuxt module.
Module Options
Configure in nuxt.config.ts under the openapeSp key:
export default defineNuxtConfig({
modules: ['@openape/nuxt-auth-sp'],
openapeSp: {
clientId: 'app.example.com',
sessionSecret: process.env.SP_SESSION_SECRET,
fallbackIdpUrl: 'https://id.openape.at'
}
})
Core Options
| Option | Type | Default | Env Var | Description |
|---|---|---|---|---|
clientId | string | '' | NUXT_OPENAPE_SP_CLIENT_ID | OIDC client ID (auto-derived to localhost:PORT in dev) |
spName | string | 'OpenApe Service Provider' | NUXT_OPENAPE_SP_SP_NAME | Service provider display name |
sessionSecret | string | 'change-me-...' | NUXT_OPENAPE_SP_SESSION_SECRET | Session encryption secret (auto-generated in dev, required in prod) |
openapeUrl | string | '' | NUXT_OPENAPE_SP_OPENAPE_URL | OpenApe IdP URL (overrides DNS discovery) |
fallbackIdpUrl | string | 'https://id.openape.at' | NUXT_OPENAPE_SP_FALLBACK_IDP_URL | Fallback IdP when no DDISA TXT record exists |
routes | boolean | true | — | Enable route handlers |
Server Routes
When routes: true (default), these routes are auto-registered:
| Method | Path | Description |
|---|---|---|
POST | /api/login | Initiate login (accepts { email }, returns redirect URL) |
GET | /api/callback | OAuth callback (exchanges code for token, creates session) |
POST | /api/logout | End session |
GET | /api/me | Get current user info |
GET | /.well-known/oauth-client-metadata | OAuth client metadata |
GET | /.well-known/auth.md | Machine-readable auth spec for agents |
GET | /.well-known/openape.json | OpenApe service manifest |
Client-Side API
useOpenApeAuth() Composable
const { user, loading, fetchUser, login, logout } = useOpenApeAuth()
| Property | Type | Description |
|---|---|---|
user | Ref<User | null> | Current user (null if not logged in) |
loading | Ref<boolean> | Loading state |
fetchUser() | () => Promise<void> | Refresh user data from /api/me |
login(email) | (email: string) => Promise<void> | Start login flow |
logout() | () => Promise<void> | End session |
<OpenApeAuth /> Component
Drop-in login form:
<OpenApeAuth
title="Login"
subtitle="Enter your email"
button-text="Continue"
placeholder="you@example.com"
@error="handleError"
/>
Props:
| Prop | Type | Default | Description |
|---|---|---|---|
title | string | 'Login' | Form title |
subtitle | string | 'Enter your email to sign in' | Form subtitle |
buttonText | string | 'Continue' | Submit button text |
placeholder | string | 'you@example.com' | Email input placeholder |
Events:
| Event | Payload | Description |
|---|---|---|
error | Error | Emitted when login fails |
Slots: header, button, error, footer
CSS Variables:
| Variable | Default | Description |
|---|---|---|
--oa-bg | — | Background color |
--oa-border | — | Border color |
--oa-text | — | Text color |
--oa-primary | — | Primary/accent color |
--oa-error | — | Error text color |
--oa-radius | — | Border radius |
--oa-font | — | Font family |
Service Manifest
The manifest option configures the /.well-known/openape.json endpoint, which agents use to discover the SP's capabilities:
openapeSp: {
manifest: {
service: {
name: 'My App',
description: 'A grant-aware application',
url: 'https://app.example.com',
contact: 'admin@example.com'
},
auth: {
ddisa_domain: 'example.com',
supported_methods: ['ddisa']
},
scopes: {
'read:data': {
name: 'Read Data',
description: 'Read application data',
risk: 'low'
},
'write:data': {
name: 'Write Data',
description: 'Modify application data',
risk: 'medium'
}
},
policies: {
agent_access: 'grant_required',
delegation: 'allowed'
}
}
}
Vercel / Serverless Deployment
For serverless environments, configure Nitro to inline external dependencies:
export default defineNuxtConfig({
nitro: {
preset: 'vercel',
externals: {
inline: ['@openape/nuxt-auth-sp']
}
}
})
Production Checklist
- Set a strong
sessionSecret(32+ random characters) - Set
clientIdto your production domain - Configure
fallbackIdpUrl(or set to''to reject domains without DDISA records) - Ensure your app is served over HTTPS
- Configure the service manifest for agent discoverability