Authdog

SvelteKit

Last updated Jul 19, 2026npmlatestCI passing
View as Markdown

The @authdog/sveltekit SDK provides a cookie-reading handle hook, server helpers, and a browser token bootstrap for SvelteKit.

Install

npm install @authdog/sveltekit

Requires @sveltejs/kit ^2. Expose your publishable key as PUBLIC_AUTHDOG_PUBLIC_KEY (SvelteKit's PUBLIC_ prefix makes it readable via import.meta.env).

Add the handle hook

createAuthdogHandle reads the authdog-session cookie and populates event.locals.authdog on every request:

// src/hooks.server.ts
import { createAuthdogHandle } from "@authdog/sveltekit/server"

export const handle = createAuthdogHandle({
  publicKey: import.meta.env.PUBLIC_AUTHDOG_PUBLIC_KEY,
})

locals.authdog.isAuthenticated means only that the cookie exists. It does not validate the token.

Read the user in a load function

Call getUser(request) to validate the cookie through Authdog userinfo before granting access. getSession(request) returns the raw cookie value and performs no validation:

// src/routes/profile/+page.server.ts
import { createAuthdogServer } from "@authdog/sveltekit/server"

const authdog = createAuthdogServer({
  publicKey: import.meta.env.PUBLIC_AUTHDOG_PUBLIC_KEY,
})

export const load = async ({ request }) => {
  const identity = await authdog.getUser(request).catch(() => null)
  if (!identity) {
    return { user: null }
  }
  return { user: identity.user }
}

The server instance also exposes logout(request). Pair validated identity with authorization.

Client bootstrap

Run initAuthdog() once on mount to shape-check ?token=, store it in browser localStorage, strip the URL, and reload:

<!-- src/routes/+layout.svelte -->
<script>
  import { onMount } from "svelte"
  import { initAuthdog } from "@authdog/sveltekit/client"
  onMount(() => initAuthdog())
</script>

This bootstrap does not create the server's authdog-session cookie. For server-side authentication, your callback/backend must set that cookie as HttpOnly, Secure, and SameSite after validating the token. clearAuthdogToken() clears only browser storage; authdog.logout(request) clears the server cookie.

Next steps

Learn more