React & Node integration

@finsel-dgi/pasby-react — loginWithSecret, tokenSwap, and eidResource for custom backends.

@finsel-dgi/pasby-react provides server-side helpers for the OIDC API. Use it with Express, Fastify, Remix loaders, or any Node HTTP stack. For Next.js App Router, prefer @finsel-dgi/pasby-next which builds on this package.

npm: @finsel-dgi/pasby-react · Repository: github.com/Finsel-DGI/pasby-auth-react

Install

npm install @finsel-dgi/pasby-react

Server functions import from the /server subpath (never bundle secrets to the browser):

import {
  loginWithSecret,
  tokenSwap,
  eidResource,
} from "@finsel-dgi/pasby-react/server";

Environment variables

Variable	Purpose
`PASBY_CONSUMER_KEY`	`x-api-key` on session start
`PASBY_CLIENT_SECRET`	`x-access-secret` on session start
`PASBY_CLIENT_ID`	App id on resource call
`SECRET_GEN`	Encrypt/decrypt PKCE verifier and tokens in cookies

Server exports

Export	OIDC step	Maps to
`loginWithSecret`	Start session	`POST /oidc/kipindi`
`tokenSwap`	Exchange token	`POST /oidc/kupeana`
`eidResource`	Get claims	`POST /oidc/resource`
`getUser`	Decode access cookie	JWT `sub` only (no resource call)

Types: User from @finsel-dgi/pasby-react.

Express example

import express from "express";
import { loginWithSecret } from "@finsel-dgi/pasby-react/server";

const app = express();

app.get("/auth/login", async (req, res) => {
  const { redirect, pkceverifier, id } = await loginWithSecret({
    claims: ["naming.given", "naming.family", "contact.email"],
    action: "login",
    payload: "Sign in to your app",
    redirect_uri: "https://your-app.com/auth/callback",
  });

  res.cookie("pasby_pkce", pkceverifier, {
    httpOnly: true,
    secure: true,
    sameSite: "lax",
    maxAge: 10 * 60 * 1000,
  });

  res.redirect(redirect);
});

loginWithSecret generates PKCE, calls start session, and returns:

Field	Use
`redirect`	Hosted identification URL — redirect the browser here
`pkceverifier`	Encrypted verifier — store in httpOnly cookie until callback
`id`	Session id for support correlation

Callback — exchange + resource

app.get("/auth/callback", async (req, res) => {
  const { handshake, flow } = req.query as Record<string, string>;
  const pkceverifier = req.cookies.pasby_pkce;

  if (flow === "cancelled") {
    return res.redirect("/auth/cancelled");
  }

  const tokens = await tokenSwap({
    flow,
    code: handshake,
    pkceverifier,
  });

  const user = await eidResource({
    accessCode: tokens.access,
    challenge: tokens.challenge,
  });

  // Create your app session from user.national / user.claims
  req.session.userId = user.national;
  res.redirect("/dashboard");
});

tokenSwap returns encrypted access and challenge — pass them straight into eidResource (the SDK decrypts internally).

Optional: poll UI component

For signing flows that need client polling, the package exports PollEIDComponent from the main entry (browser-safe).

User shape

import type { User } from "@finsel-dgi/pasby-react";

const user: User = {
  national: "12345678901",
  country: "NG",
  claims: {
    contact: {
      email: "jane@example.com",
      emailVerified: true,
    },
    naming: {
      given: "Jane",
      family: "Doe",
    },
  },
};

Full claim keys: Claims reference.

PKCE

loginWithSecret generates PKCE via @rebatlabs/ui-funs and encrypts the verifier with SECRET_GEN. You do not call PKCE helpers manually unless you bypass the SDK.

If you implement raw HTTP instead, see PKCE and the Go examples in OIDC quickstart.

Next.js OIDC — App Router handler + LoginButton
OIDC quickstart
Client libraries

React & Node integration

On this page