The @authdog/sveltekit SDK provides a cookie-reading handle hook, server helpers, and a browser token bootstrap for SvelteKit.
Install
npm install @authdog/sveltekityarn add @authdog/sveltekitpnpm add @authdog/sveltekitbun add @authdog/sveltekitdeno add npm:@authdog/sveltekitRequires @sveltejs/kit ^2. Expose your publishable key as PUBLIC_AUTHDOG_PUBLIC_KEY (SvelteKit's PUBLIC_ prefix makes it readable via import.meta.env).
Add the handle hook
createAuthdogHandle reads the authdog-session cookie and populates event.locals.authdog on every request:
// src/hooks.server.ts
import { createAuthdogHandle } from "@authdog/sveltekit/server"
export const handle = createAuthdogHandle({
publicKey: import.meta.env.PUBLIC_AUTHDOG_PUBLIC_KEY,
})locals.authdog.isAuthenticated means only that the cookie exists. It does not validate the token.
Read the user in a load function
Call getUser(request) to validate the cookie through Authdog userinfo before granting access. getSession(request) returns the raw cookie value and performs no validation:
// src/routes/profile/+page.server.ts
import { createAuthdogServer } from "@authdog/sveltekit/server"
const authdog = createAuthdogServer({
publicKey: import.meta.env.PUBLIC_AUTHDOG_PUBLIC_KEY,
})
export const load = async ({ request }) => {
const identity = await authdog.getUser(request).catch(() => null)
if (!identity) {
return { user: null }
}
return { user: identity.user }
}The server instance also exposes logout(request). Pair validated identity with authorization.
Client bootstrap
Run initAuthdog() once on mount to shape-check ?token=, store it in browser localStorage, strip the URL, and reload:
<!-- src/routes/+layout.svelte -->
<script>
import { onMount } from "svelte"
import { initAuthdog } from "@authdog/sveltekit/client"
onMount(() => initAuthdog())
</script>This bootstrap does not create the server's authdog-session cookie. For server-side authentication, your callback/backend must set that cookie as HttpOnly, Secure, and SameSite after validating the token. clearAuthdogToken() clears only browser storage; authdog.logout(request) clears the server cookie.
Next steps
- Sign up & sign in — the flows behind the redirect.
- Backend requests — the verification model, in depth.