zMesh / Auth
Auth
Email + password, magic links, sessions, refresh, and onAuthStateChange — without managing JWTs by hand.
Sign-up, sign-in, sign-out
ts
// Sign up — also issues a session and sends a verification email
const { user, tokens } = await zmesh.auth.signUp({
email: "alice@example.com",
password: "hunter2",
display_name: "Alice",
});
// Sign in with password
await zmesh.auth.signInWithPassword({
email: "alice@example.com",
password: "hunter2",
});
// Sign out
await zmesh.auth.signOut();Magic link (passwordless)
Send a one-time link. The user clicks it and lands signed-in on your redirect URI.
ts
await zmesh.auth.signInWithMagicLink({
email: "alice@example.com",
redirect_uri: "https://app.example.com/welcome",
});React to auth changes
A single subscription powers your auth-aware UI.
ts
const { unsubscribe } = zmesh.auth.onAuthStateChange((event, session) => {
// event: "SIGNED_IN" | "SIGNED_OUT" | "TOKEN_REFRESHED" | "MFA_REQUIRED"
console.log(event, session?.user.email);
});Read the current user / session
getUser() hits the network for a fresh check, getSession() returns the cached one.
ts
const user = await zmesh.auth.getUser();
const session = zmesh.auth.getSession();
// session?.access_token, session?.refresh_token, session?.userRaw HTTP
Every request needs X-App-Id. Authenticated requests additionally need Authorization: Bearer <access_token>.
bash
curl -X POST <api-url>/v1/auth/login \
-H "X-App-Id: <your-app-id>" \
-H "Content-Type: application/json" \
-d '{"email":"alice@example.com","password":"hunter2"}'