@gadgetinc/auth is a deprecated plugin package that implements user authentication for your Gadget app.

@gadgetinc/auth has been replaced with auth features built in to Gadget itself and will no longer receive updates. If you are using @gadgetinc/auth, Gadget recommends migrating to framework version 1.0 and the built-in auth features that come with it. To migrate you must remove the @gadgetinc/auth package, reach out in our Discord for more information and support in doing so.


yarn add @gadgetinc/auth
# or
npm install --save @gadgetinc/auth

Registering the plugin 

This plugin can be registered using a route plugin, which is a file in the routes folder starting with +, e.g. routes/+auth.js:

1// routes/+auth.js
2import { Auth } from "@gadgetinc/auth";
3import { api } from "gadget-server";
5export default function (server) {
6 server.register(Auth, {
7 gadgetManagedCredentials: true,
8 api,
9 providers: [
10 {
11 type: "google",
12 clientId: process.env.GOOGLE_CLIENT_ID,
13 clientSecret: process.env.GOOGLE_CLIENT_SECRET,
14 },
15 ],
16 });
  • gadgetManagedCredentials - whether or not you wish to use Gadget's developer OAuth credentials. These credentials are only intended for quick setup in your Development environment, and should be updated before you deploy your app to Production. Defaults to false.
  • api - your Gadget api client
  • redirectToSignIn - if a user is not signed in using the preValidation check, then redirect the user to the path specified by signInPath. Defaults to false
  • signInPath - the path to your login page. This is where users will be redirected if redirectToSignIn is set to true. Defaults to /signin
  • providers - an array of authentication providers
    • type - currently the only available type is "google"
    • clientId - Google OAuth client id
    • clientSecret - Google OAuth client secret
    • scopes - optional OAuth scopes to request from the user. Defaults to ["email", "profile"] for Google
    • transformUser - by default the plugin will only attempt to set the user model's firstName, lastName, and email fields. If you've edited or added more fields and want to customize this behavior, this function is provided the decoded id_token and must - return the input to the user model's create action.

Protecting routes 

To ensure only signed-in users have access to a route, you can protect it with the preValidation hook:

1// routes/GET-protected-route.js
2const { preValidation } = require("@gadgetinc/auth");
4export default async function route({ reply }) {
5 await reply.send("this is a protected route!");
8export const options = {
9 preValidation,

This route will return 403 Forbidden if accessed without signing in, and will run the route handler if accessed by someone who is signed in.