FFDB

Authentication

FFDB authentication is built into the SDK. You configure your app once, then use the auth client for sign-in, session reads, and sign-out flows.

Most frontend apps should only handle user-auth flows. Keep admin credentials in trusted environments and never ship them in browser code.

Authentication model

  • Name
    Developer setup credentials
    Description

    Used for setup-time workflows like type generation and trusted server operations.

  • Name
    End-user sessions
    Description

    Used by application users signing in through the SDK auth methods.

  • Name
    Session-aware data access
    Description

    After user sign-in, the SDK manages session-aware access for database operations in your app.

Sign in with email/password

const { auth } = await createClient({
  config: { apiUrl: import.meta.env.VITE_FFDB_API_URL },
})

await auth.signIn.email({
  email: '[email protected]',
  password: 'password',
})

Read the current session

const { data: session, error } = await auth.getSession()

if (error) {
  console.error(error)
}

console.log(session?.user)

Sign out

await auth.signOut()

React usage

Use React helpers from the SDK provider context:

import { FFDBProvider, useAuth } from 'ffdb-client/react'

function SignInButton() {
  const auth = useAuth()

  const onClick = async () => {
    await auth.signIn.email({
      email: '[email protected]',
      password: 'password',
    })
  }

  return <button onClick={onClick}>Sign in</button>
}

Practical guidance

  • Name
    Use session checks on app start
    Description

    Call auth.getSession() during app initialization so UI state reflects signed-in status early.

  • Name
    Treat auth as async state
    Description

    Handle loading and null-session states explicitly, especially after tab focus or reconnect.

  • Name
    Do not persist privileged secrets in UI bundles
    Description

    Keep setup/admin credentials in secure environments.

Admin OAuth provider setup

For tenant apps, OAuth providers are configured in admin Settings under the runtime config panel.

  1. Open Settings as an admin user.
  2. Enter provider credentials for Google, GitHub, Microsoft, or Apple.
  3. Enable only providers that show complete required credentials.
  4. Save changes and allow the backend restart to apply the new auth wiring.

Provider notes:

  • Microsoft supports single, multi, and both tenant modes.
  • Apple credentials require key rotation tracking; store the private-key expiry date to support reminder workflows.

Secrets are write-only in the UI. Existing values are masked and can only be rotated by entering a new value.

Tenant Stripe auth plugin prerequisites

Stripe-backed auth flows require both of the following runtime secrets:

  1. Stripe secret key
  2. Stripe webhook secret

If either secret is missing, Stripe plugin wiring stays disabled for safety.

Next pages

  1. Database queries
  2. Access control
  3. React

Was this page helpful?