auth-shared overview

@vendidit/auth-shared is the type contract that every TypeScript consumer of the auth platform shares. JWT claim shapes, normalized principal types, every wire DTO, error codes + envelope, role + token type constants. Source-only — no build step.

Source	Vendidit/auth-shared
Stack	TypeScript 5+ · source-only, no build
Status	Production.

📦

Every consumer needs to register an app first. A system_admin creates an apps row, the consumer sets VENDIDIT_APP_CODE + JWT_ACCESS_SECRET, and tokens issued to that app_code carry the right scope. See the full flow in App registration.

What it gives you

• JWT claim shapes — UserJwtPayload, ServiceJwtPayload, RefreshJwtPayload, AccessJwtPayload, plus ImpersonationClaims, PasswordResetClaims, EmailVerificationClaims.
• Normalized principal types — AuthenticatedUser, ServicePrincipal, AuthPrincipal (the camelCase shapes every SDK exposes).
• Wire DTOs — User, Organization, MyOrgRecord, TokenPair, AuthResponse, SessionRecord, AuditLogEntry, etc.
• Error envelope + codes — AuthErrorCode, AuthErrorEnvelope, AuthErrorPayload.
• Constants — role codes (system_admin, org_admin, …), token-type constants (access, refresh, service).

Install

Track main directly from the GitHub repo (current convention — every in-org consumer picks up the latest shape on npm install):

npm install github:Vendidit/auth-shared

Or pin to a tagged release for reproducible builds:

npm install github:Vendidit/auth-shared#v0.1.0

The repo ships a committed dist/ so installs don’t need a build step on the consumer side — npm install clones, reads dist/, done. Every in-workspace TS consumer (auth-client, auth-server-ts, auth-server-nest) consumes via the GitHub URL.

Usage

import type {
    UserJwtPayload,
    AuthenticatedUser,
    AuthErrorEnvelope,
} from '@vendidit/auth-shared';

function asUser(claims: UserJwtPayload): AuthenticatedUser {
    return {
        id: claims.uid,
        email: claims.email,
        roles: claims.roles,
        permissions: claims.permissions,
        orgId: claims.org_id ?? null,
        orgSlug: claims.org_slug ?? null,
        appId: claims.app_id ?? null,
        appCode: claims.app_code ?? null,
    };
}

Subpath exports

For finer-grained imports:

import type { UserJwtPayload } from '@vendidit/auth-shared/jwt';
import type { User, Organization } from '@vendidit/auth-shared/dto';
import { AuthErrorCode } from '@vendidit/auth-shared/errors';
import { ROLES, TOKEN_TYPES } from '@vendidit/auth-shared/constants';

Why source-only?

Because every TS consumer in the platform has its own build step. Shipping pre-built artefacts would mean a separate publish cadence; with source-only, a change to a wire shape lands in one PR that updates every consumer through their normal type-check.

Related pages

• Type reference — auto-generated.
• auth-server-ts — uses these types.
• auth-server-nest — uses these types.
• auth-client — uses these types.