DEV Community: Kevin The latest articles on DEV Community by Kevin (@kcxtn). https://dev.to/kcxtn https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3292799%2Fcd79ba7a-716a-442f-9c32-a793774b4efb.png DEV Community: Kevin https://dev.to/kcxtn en Streamlined Authentication with SvelteKit and Auth0 Kevin Wed, 25 Jun 2025 07:01:44 +0000 https://dev.to/kcxtn/streamlined-authentication-with-sveltekit-and-auth0-1d54 https://dev.to/kcxtn/streamlined-authentication-with-sveltekit-and-auth0-1d54 <p>In this post, we will implement client-side authentication for SvelteKit apps using Auth0’s auth0-spa-js library.</p> <h2> The Goal: A Route Guard and a Centralized Auth Store </h2> <p>The goal is to create a guard that prevents users from accessing protected routes and a centralized store of information so that we can react to changes in authentication status. A Svelte writable store is perfect for this, it can hold the Auth0 client instance, the user's information, authentication status, and any loading, or error states.</p> <h3> 1. Configuration and Setup </h3> <p>The first step is to set up an Auth0 application. We can do this by following Auth0's <a href="https://auth0.com/docs/quickstart/spa/vanillajs/interactive" rel="noopener noreferrer">official quickstart guide</a> for vanilla JavaScript applications - it'll walk us through the process.</p> <p>Once our Auth0 application is created, we need to make its domain and client ID accessible to our SvelteKit project. We do this by creating a <code>.env</code> file in the root of the SvelteKit project and adding the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>PUBLIC_AUTH_DOMAIN=&lt;OUR AUTH0 DOMAIN&gt; PUBLIC_CLIENT_ID=&lt;OUR AUTH0 CLIENT_ID&gt; </code></pre> </div> <p>SvelteKit automatically exposes environment variables prefixed with <code>PUBLIC_</code>, so we can easily import these values into our application from <code>$env/static/public</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">PUBLIC_AUTH_DOMAIN</span><span class="p">,</span> <span class="nx">PUBLIC_CLIENT_ID</span> <span class="p">}</span> <span class="k">from</span> <span class="err">‘</span><span class="nx">$env</span><span class="o">/</span><span class="kd">static</span><span class="sr">/public</span><span class="err">’ </span></code></pre> </div> <p>This approach provides a modern and type-safe way to handle public environment variables in SvelteKit. With these variables in place, the next step is to create a file at <code>src/lib/auth0.js</code> where we define the methods for managing our centralized authentication state.</p> <h3> 2. The Authentication State </h3> <p>We define a SvelteKit writable store to hold authentication related details and assign it some initial values. This store will allow our components to react to changes in the user's authentication status.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">writable</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">svelte/store</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">initialState</span> <span class="o">=</span> <span class="p">{</span> <span class="na">auth0Client</span><span class="p">:</span> <span class="kc">undefined</span><span class="p">,</span> <span class="na">isAuthenticated</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">isLoading</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">user</span><span class="p">:</span> <span class="kc">undefined</span><span class="p">,</span> <span class="na">error</span><span class="p">:</span> <span class="kc">null</span> <span class="p">};</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">authStore</span> <span class="o">=</span> <span class="nf">writable</span><span class="p">(</span><span class="nx">initialState</span><span class="p">);</span> </code></pre> </div> <p>Then we declare a module-level variable to store the Auth0 client instance. This instance will be responsible for handling all interactions with the Auth0 service.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">let</span> <span class="nx">clientInstance</span><span class="p">;</span> </code></pre> </div> <h3> 3. <code>initAuth0</code>: Our Application's Authentication Setup </h3> <p><code>initAuth0</code> is responsible for creating an Auth0 client and updating the initial user state within our application. It should be called only once, whenever our application starts.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">PUBLIC_AUTH_DOMAIN</span><span class="p">,</span> <span class="nx">PUBLIC_CLIENT_ID</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">$env/static/public</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">createAuth0Client</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@auth0/auth0-spa-js</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">initAuth0</span><span class="p">()</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">clientInstance</span><span class="p">)</span> <span class="k">return</span><span class="p">;</span> <span class="nx">authStore</span><span class="p">.</span><span class="nf">update</span><span class="p">((</span><span class="nx">store</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">({</span> <span class="p">...</span><span class="nx">store</span><span class="p">,</span> <span class="na">isLoading</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">error</span><span class="p">:</span> <span class="kc">null</span> <span class="p">}));</span> <span class="k">try</span> <span class="p">{</span> <span class="c1">// 1. Initialize Auth0 Client</span> <span class="nx">clientInstance</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">createAuth0Client</span><span class="p">({</span> <span class="na">domain</span><span class="p">:</span> <span class="nx">PUBLIC_AUTH_DOMAIN</span><span class="p">,</span> <span class="na">clientId</span><span class="p">:</span> <span class="nx">PUBLIC_CLIENT_ID</span><span class="p">,</span> <span class="na">authorizationParams</span><span class="p">:</span> <span class="p">{</span> <span class="na">redirect_uri</span><span class="p">:</span> <span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">origin</span> <span class="p">},</span> <span class="na">cacheLocation</span><span class="p">:</span> <span class="dl">'</span><span class="s1">localstorage</span><span class="dl">'</span><span class="p">,</span> <span class="na">useRefreshTokens</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="c1">// 2. Handle Authentication Redirect (Post-Login)</span> <span class="k">if </span><span class="p">(</span> <span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">search</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">'</span><span class="s1">code=</span><span class="dl">'</span><span class="p">)</span> <span class="o">&amp;&amp;</span> <span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">search</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">'</span><span class="s1">state=</span><span class="dl">'</span><span class="p">)</span> <span class="p">){</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">appState</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">clientInstance</span><span class="p">.</span><span class="nf">handleRedirectCallback</span><span class="p">();</span> <span class="c1">// `goto` isn't available in hooks.client.js, so we </span> <span class="c1">// use `window.location.replace` instead.</span> <span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="nx">appState</span><span class="p">?.</span><span class="nx">targetUrl</span> <span class="o">||</span> <span class="dl">''</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// 3. Check Authentication Status and Get User Profile</span> <span class="kd">const</span> <span class="nx">isAuthenticated</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">clientInstance</span><span class="p">.</span><span class="nf">isAuthenticated</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="nx">isAuthenticated</span> <span class="p">?</span> <span class="k">await</span> <span class="nx">clientInstance</span><span class="p">.</span><span class="nf">getUser</span><span class="p">()</span> <span class="p">:</span> <span class="kc">undefined</span><span class="p">;</span> <span class="c1">// 4. Update Application's Authentication State</span> <span class="nx">authStore</span><span class="p">.</span><span class="nf">update</span><span class="p">((</span><span class="nx">store</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">({</span> <span class="p">...</span><span class="nx">store</span><span class="p">,</span> <span class="na">auth0Client</span><span class="p">:</span> <span class="nx">clientInstance</span><span class="p">,</span> <span class="nx">isAuthenticated</span><span class="p">,</span> <span class="nx">user</span><span class="p">,</span> <span class="na">isLoading</span><span class="p">:</span> <span class="kc">false</span> <span class="p">}));</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{</span> <span class="p">...</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>To make sure this function is only invoked once when our application loads, we can call it from <code>src/hooks.client.js</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">initAuth0</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">$lib/auth0.service</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">init</span><span class="p">()</span> <span class="p">{</span> <span class="k">await</span> <span class="nf">initAuth0</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <p>Since the SvelteKit <code>init</code> client side hook calls <code>initAuth0</code>, our application will only hydrate after our Auth0 authentication service is initialized.</p> <h3> 4. Protecting Routes with <code>auth0Guard</code> </h3> <p><code>auth0Guard</code> simplifies authentication checks within our load functions. It acts as a gatekeeper, ensuring that users are properly authenticated before they can access protected routes. If an unauthenticated user tries to sneak in, auth0Guard seamlessly redirects them to our login page.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="p">{</span> <span class="kd">get</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">svelte/store</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">goto</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">$app/navigation</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">defaultRouteGuardOptions</span> <span class="o">=</span> <span class="p">{</span> <span class="na">requiresAuth</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">loginPath</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span> <span class="p">};</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">auth0Guard</span><span class="p">(</span><span class="nx">options</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">requiresAuth</span><span class="p">,</span> <span class="nx">loginPath</span><span class="p">,</span> <span class="nx">redirectTo</span> <span class="p">}</span> <span class="o">=</span> <span class="p">{</span> <span class="p">...</span><span class="nx">defaultRouteGuardOptions</span><span class="p">,</span> <span class="p">...</span><span class="nx">options</span> <span class="p">};</span> <span class="k">if </span><span class="p">(</span><span class="nx">requiresAuth</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="nf">get</span><span class="p">(</span><span class="nx">authStore</span><span class="p">).</span><span class="nx">isAuthenticated</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">path</span> <span class="o">=</span> <span class="nx">loginPath</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">?redirect=</span><span class="dl">'</span> <span class="o">+</span> <span class="nf">encodeURIComponent</span><span class="p">(</span><span class="nx">redirectTo</span> <span class="o">||</span> <span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">pathname</span><span class="p">);</span> <span class="k">return</span> <span class="nf">goto</span><span class="p">(</span><span class="nx">path</span><span class="p">,</span> <span class="p">{</span> <span class="na">replaceState</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><code>auth0Guard</code> can protect individual pages and groups of routes. To protect a specific page, we call <code>auth0Guard</code> from its <code>+page.js load</code>. Remember to double check that <code>auth0Guard</code> is only being called in a browser environment.</p> <p>For example, to protect <code>routes/user-settings</code>, define the following <code>routes/user-settings/+page.js</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">browser</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">$app/environment</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">auth0Guard</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">$lib/auth0</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">load</span><span class="p">()</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">browser</span><span class="p">)</span> <span class="p">{</span> <span class="k">await</span> <span class="nf">auth0Guard</span><span class="p">();</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>To protect groups of routes, leverage SvelteKit's route groups by placing auth0Guard in a top-level <code>+layout.js</code>.</p> <p>For example, to protect <code>routes/(protected)/user-settings</code> and <code>routes/(protected)/user-profile</code>, add <code>auth0Guard</code> to <code>routes/(protected)/+layout.js</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">browser</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">$app/environment</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">auth0Guard</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">$lib/auth0</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">load</span><span class="p">({</span> <span class="nx">url</span> <span class="p">})</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">browser</span><span class="p">)</span> <span class="p">{</span> <span class="k">await</span> <span class="nf">auth0Guard</span><span class="p">({</span> <span class="na">redirectTo</span><span class="p">:</span> <span class="nx">url</span><span class="p">.</span><span class="nx">pathname</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>A URL pathname must be explicitly passed to <code>auth0Guard</code> when protecting route groups to ensure the authentication flow will successfully redirect the user back to the correct destination.</p> <h3> 5. Reacting to Authentication State </h3> <p>We react to changes in authentication state by importing the <code>authStore</code> into a component or page. The snippet below displays different messages based on whether the user is authenticated:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="o">&lt;</span><span class="nx">script</span><span class="o">&gt;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">authStore</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">$lib/auth0</span><span class="dl">'</span><span class="p">;</span> <span class="kd">let</span> <span class="nx">isAuthenticated</span> <span class="o">=</span> <span class="nf">$derived</span><span class="p">(</span><span class="nx">$authStore</span><span class="p">.</span><span class="nx">isAuthenticated</span><span class="p">);</span> <span class="o">&lt;</span><span class="sr">/script</span><span class="err">&gt; </span> <span class="p">{</span><span class="err">#</span><span class="k">if</span> <span class="nx">isAuthenticated</span><span class="p">}</span> <span class="o">&lt;</span><span class="nx">p</span><span class="o">&gt;</span> <span class="nx">Hello</span><span class="p">,</span> <span class="nx">World</span><span class="o">!</span> <span class="o">&lt;</span><span class="sr">/p</span><span class="err">&gt; </span><span class="p">{:</span><span class="k">else</span><span class="p">}</span> <span class="o">&lt;</span><span class="nx">p</span><span class="o">&gt;</span> <span class="nx">Goodbye</span><span class="p">,</span> <span class="nx">World</span><span class="o">!</span> <span class="o">&lt;</span><span class="sr">/p</span><span class="err">&gt; </span><span class="p">{</span><span class="sr">/if</span><span class="err">} </span></code></pre> </div> <h2> Conclusion: Simple SvelteKit Authentication with Auth0 </h2> <p>By harnessing Svelte’s writable stores, we’ve established a single source of truth for our authentication state. This simplifies managing user logins and reacting to changes in authentication state across our application. We’ve avoided unnecessary Auth0 client initialization by ensuring that <code>initAuth0</code> is only called in SvelteKit’s application initialization hook, and we’ve looked at how we can protect our routes from unauthorized access using a route guard. With these tools, we can confidently build secure SvelteKit applications!</p> webdev svelte sveltekit javascript