The @authdog/tanstack-start SDK provides a callback loader, HttpOnly cookie handling, and a small React URL-cleanup provider.
Install
npm install @authdog/tanstack-startyarn add @authdog/tanstack-startpnpm add @authdog/tanstack-startbun add @authdog/tanstack-startdeno add npm:@authdog/tanstack-startRequires @tanstack/react-start ^1 and React 18 or 19. Set PK_AUTHDOG (your pk_... key) on the server.
Wrap the app
Wrap the root component with AuthdogProvider. When ?token= is present, it removes the parameter and reloads. It does not validate or persist the token, so the server loader must process the original request first:
import { AuthdogProvider } from "@authdog/tanstack-start/client"
function RootLayout({ children }: { children: React.ReactNode }) {
return <AuthdogProvider>{children}</AuthdogProvider>
}Handle the callback on the server
identityLoader() accepts a standard Request and returns a standard Response. It validates callback and cookie credentials through Authdog userinfo. Return its Response unchanged from the server route that receives the hosted sign-in redirect:
import { identityLoader } from "@authdog/tanstack-start"
const loadIdentity = identityLoader()
export async function handleAuthdogRequest(request: Request): Promise<Response> {
return loadIdentity({ request })
}Wire handleAuthdogRequest into a TanStack Start server route matched by the callback URL. Do not call response.json() and return only its body: that drops the two Set-Cookie headers. The loader reports { user, isAuthenticated, signinUri }; it does not redirect or deny access, so protected handlers must check isAuthenticated and apply authorization.
Sign out
logoutLoader is a server loader and returns a 302 Response that clears the session cookies. Return it unchanged from a server route:
import { logoutLoader } from "@authdog/tanstack-start"
export const logout = logoutLoaderAuthdogProvider is presentational callback cleanup, not an authentication provider or route guard.
Next steps
- Component reference — the
@authdog/react-elementsUI. - Backend requests — the verification model, in depth.
- Quickstarts — the five-minute path.