TypeScript
- @atproto/oauth-client-browser (npmjs) - Suitable for frontend-only applications (e.g. SPAs).
- @atproto/oauth-client-node (npmjs) - Suitable for Electron desktop apps or server-side deployments.
- @atproto/oauth-client-expo (npmjs) - For use in React Native projects (e.g. mobile apps)
- @atproto/oauth-client (npmjs) (This is the core implementation on which the above three libraries depend)
Go
- Indigo (Online API Docs) - Suitable for native apps or server-side deployments
Atproto OAuth Example Apps
These simple example apps demonstrate usage of their respective SDKs.
| Example App | Language | SDK | Architecture | Confidential Client? | Localhost development client ID? |
|---|---|---|---|---|---|
| cookbook/react-native-oauth | TypeScript | @atproto/oauth-client-expo | Mobile App (no backend) | No | No (requires hosted client metadata) |
| cookbook/vanillajs-oauth-web-app | JavaScript | @atproto/oauth-client-browser | Web SPA (no backend) | No | Optionally |
| cookbook/go-oauth-web-app | Go | indigo | Web BFF | Optionally | Optionally |
| cookbook/go-oauth-cli-app | Go | indigo | Native CLI | No | No (requires hosted client metadata) |
| cookbook/python-oauth-web-app | Python | None | Web BFF | Optionally | Optionally |
| cookbook/react-native-oauth | |
| Language | TypeScript |
|---|---|
| SDK | @atproto/oauth-client-expo |
| Architecture | Mobile App (no backend) |
| Confidential Client? | No |
| Localhost development client ID? | No (requires hosted client metadata) |
| cookbook/vanillajs-oauth-web-app | |
| Language | JavaScript |
|---|---|
| SDK | @atproto/oauth-client-browser |
| Architecture | Web SPA (no backend) |
| Confidential Client? | No |
| Localhost development client ID? | Optionally |
| cookbook/go-oauth-web-app | |
| Language | Go |
|---|---|
| SDK | indigo |
| Architecture | Web BFF |
| Confidential Client? | Optionally |
| Localhost development client ID? | Optionally |
| cookbook/go-oauth-cli-app | |
| Language | Go |
|---|---|
| SDK | indigo |
| Architecture | Native CLI |
| Confidential Client? | No |
| Localhost development client ID? | No (requires hosted client metadata) |
| cookbook/python-oauth-web-app | |
| Language | Python |
|---|---|
| SDK | None |
| Architecture | Web BFF |
| Confidential Client? | Optionally |
| Localhost development client ID? | Optionally |
The Python example does not use an SDK! It may be useful as reference when building an OAuth SDK from scratch, alongside the advanced OAuth client implementation guide
Types of App
The simplest type of app is one where the OAuth session is established directly between the user's device and the PDS, as demonstrated in the cookbook/vanillajs-oauth-web-app example. It's simple because it doesn't require a dedicated backend service, only hosting static resources.
If your app doesn't need long-lived sessions, then this approach is completely fine. But for other use cases, session lifetime will be limited because the app is a "public client", as opposed to a "confidential client". Becoming a confidential client involves establishing a secret key, bound to the client ID. If the client is publicly available and runs on the user's own device, it cannot protect a client secret. Thus, implementing a confidential client necessitates hosting some backend infrastructure, which the cookbook/go-oauth-web-app and cookbook/python-oauth-web-app examples demonstrate (both using the "BFF" pattern, see below).
See Types of Clients for more technical details on confidential vs. public clients.
There are several design strategies that can be used to "upgrade" a public client into a confidential client:
- Backend For Frontend (BFF): The OAuth session is established between the app backend server and the PDS. This server-side session is associated with the user's frontend session via mechanisms such as session cookies. The frontend makes requests to the PDS by proxying them through the backend, which handles the OAuth authorization.
- Token-Mediating Backend (TMB): Similar to the BFF pattern, except the backend passes OAuth access tokens to the frontend once the session has been established, allowing the frontend to make direct requests to the PDS.
- Client Assertion Backend: A proposed alternative to the TMB pattern with simplified server-side logic.
Of these three, the BFF pattern is the currently recommended approach for building confidential-client applications. This is demonstrated in the cookbook/go-oauth-web-app and cookbook/python-oauth-web-app examples.