@authaz/hono mounts the OAuth flow as a sub-app on your Hono server. It runs anywhere Hono runs — Node, Bun, Cloudflare Workers, Deno, AWS Lambda. About 8 minutes.
An Authaz application with http://localhost:3000/auth/callback registered as a redirect URI. New to Authaz? Set up your app in 60 seconds — you'll come back with , , and ready to paste in.
Authaz redirects users back to /auth/callback as a GET, but the handler expects a POST (so the auth code never ends up logged in browser history). Serve a tiny HTML page that re-POSTs:
authMiddleware() — fast, cookie-only check. Returns 401 if no session cookie:
import { authMiddleware } from "@authaz/hono";app.use("/api/protected/*", authMiddleware());app.get("/api/protected/data", (c) => { return c.json({ secret: "only signed-in users see this" });});
createAuthMiddleware({ authazDomain, apiKey }) — fetches the user via OIDC userinfo and attaches them to the context. Use when you actually need the user object:
import { createAuthMiddleware } from "@authaz/hono";const { requireUser, optionalUser } = createAuthMiddleware({ authazDomain: "https://auth.authaz.io", apiKey: process.env.AUTHAZ_API_KEY!,});app.use("/api/profile", requireUser);app.get("/api/profile", (c) => { const user = c.get("user"); return c.json({ user });});
optionalUser does the same fetch but does not 401 if the user is unauthenticated — useful for personalized public pages.
Run the React quickstart on the same origin (or proxy /api/auth/* from your dev server) and the SDK on both sides will share the session cookie automatically. Vite proxy snippet:
