Auth
Phone-based OTP authentication. The recommended production approach is Configure.auth() from the hosted iframe script, which handles the full flow inside a secure Configure-owned iframe.
Configure.auth() (Recommended)
The hosted auth surface handles phone input, OTP verification, and profile approval inside a cross-origin iframe. The parent app receives only an agent-scoped token after the user completes approval.
html
<div id="configure-auth"></div>
<script src="https://configure.dev/js/configure.js"></script>
<script>
Configure.auth({
el: "#configure-auth",
publishableKey: "pk_...",
agent: "your-agent",
theme: "light"
});
document.addEventListener("configure:authenticated", (e) => {
const { token, userId } = e.detail;
// token is agent-scoped — pass it to your backend
});
</script>Options
| Name | Type | Required | Description |
|---|---|---|---|
el | string | Element | Yes | CSS selector or DOM element to mount the auth iframe into. |
publishableKey | string | Yes | Publishable key (pk_...) — safe for client-side use. |
agent | string | Yes | Which agent is authenticating. |
theme | 'light' | 'dark' | Yes | Hosted iframe theme. Pass it explicitly to avoid OS-theme mismatch with the host app. |
Events
| Event | Detail | Description |
|---|---|---|
configure:authenticated | { token, userId } | Fired on successful auth. token is agent-scoped. |
configure:error | { code, message } | Fired on auth failure. |
Returns
ConfigureFrame — { id, iframe, destroy(), close(), refresh() }
SDK Methods (Server / Headless Reference)
WARNING
For production browser auth, use Configure.auth() instead of calling these directly. These methods are documented for trusted server-side or headless contexts only.
sendOtp
typescript
auth.sendOtp(phone: string): Promise<OtpStartResponse>Send a one-time password to a phone number via SMS.
| Name | Type | Required | Description |
|---|---|---|---|
phone | string | Yes | Phone number in E.164 format (e.g., "+14155551234"). |
Returns { ok: boolean }.
verifyOtp
typescript
auth.verifyOtp(phone: string, code: string): Promise<OtpVerifyResponse>Verify a 6-digit OTP code. Returns a JWT token and user ID on success.
| Name | Type | Required | Description |
|---|---|---|---|
phone | string | Yes | Phone number in E.164 format. Must match the number used in sendOtp. |
code | string | Yes | 6-digit OTP code received via SMS. |
Returns { token: string, userId: string }.