Quickstart

Start with the Next.js demo — a complete, production-pattern integration you can clone, configure, and run in under 10 minutes.

Prerequisites

Node.js 18 or later
An AuthWorx organization with at least one user
An API key and your org slug from the AuthWorx admin panel

Get your credentials

In the AuthWorx admin panel, go to API Keys and create a new key. Note your org slug from the panel URL (e.g. acme-corp).

You will need:

AUTHWORX_ORG_SLUG — your org slug
AUTHWORX_API_KEY — starts with pk_live_
AUTHWORX_WEBHOOK_SECRET — shown once when creating a webhook (optional for now)

Clone the demo

git clone https://github.com/htuthings/authworx-next-demo.git
cd authworx-next-demo
npm install

Configure environment variables

cp .env.local.example .env.local

Edit .env.local:

AUTHWORX_URL=https://authworx.uthings.io/api/v1
AUTHWORX_ORG_SLUG=your-org-slug
AUTHWORX_API_KEY=pk_live_...
AUTHWORX_WEBHOOK_SECRET=whs_...          # optional — needed for webhook verification

# Public copy for the login screen
NEXT_PUBLIC_AUTHWORX_ORG_SLUG=your-org-slug

Never expose AUTHWORX_API_KEY to the browser. Only variables prefixed NEXT_PUBLIC_ are sent to the client.

Run the dev server

npm run dev

Open http://localhost:3000. You will be redirected to /login. Sign in with any user who is an active member of your org.

Verify a user token from your backend

Once the user logs in, your backend can verify their identity using your API key. Pass the access_token cookie value as the token.

Request

curl -X POST https://authworx.uthings.io/api/v1/public/verify \
  -H "X-Org-Slug: your-org-slug" \
  -H "X-API-Key: pk_live_..." \
  -H "Content-Type: application/json" \
  -d '{ "token": "<access_token>" }'

Response

{
  "status": "success",
  "data": {
    "valid": true,
    "user": {
      "id": "usr_01HXYZ",
      "name": "Alice Chen",
      "email": "alice@acme.com",
      "role": "user",
      "isEmailVerified": true
    },
    "membership": {
      "role": "member",
      "status": "active",
      "joinedAt": "2025-01-15T10:00:00.000Z"
    },
    "org": {
      "id": "org_01ABCD",
      "name": "Acme Corp",
      "slug": "acme-corp",
      "plan": "pro",
      "status": "active"
    }
  }
}

The demo's app/api/me/route.ts does exactly this — verify the token and transparently refresh it if expired. Copy that pattern into your own protected routes.

Set up your first webhook (optional)

In the admin panel, go to Webhooks and create a subscription. Use webhook.site as the URL to inspect deliveries without running a server.

Select events like member.joined and click Test — a signed HTTP POST will arrive at your endpoint within seconds.

See Webhooks and Signature Verification for how to verify the payload in production.

What's next

Authentication — full login / logout / profile API
Tokens — verify tokens and silent refresh pattern
Organizations — invite members and manage roles
API Keys — generate and rotate keys