Skip to main content

Prerequisites

Create Passport Client

Set up your Passport client in Immutable Hub to get the credentials needed for authentication.

Create Passport Client

Step-by-step guide to creating a Passport client, configuring redirect URIs, and getting your Client ID
You’ll need:
  • Client ID from your Passport client in Hub
  • Publishable Key from your Hub project settings
These values are required to initialize Passport in the next section.

Passport Credentials Reference

Passport uses OpenID Connect (OIDC). Redirect URIs must be exact matches—wildcards aren’t supported for security reasons. Register multiple URIs for different environments (localhost, staging, production).
For complete details on client configuration, see Passport Clients in Hub.

Installation

Install the Immutable SDK for your platform to get started with Passport:

TypeScript

Install via npm or yarn

Next.js

Install via npm for App Router

Unity

Install via Package Manager

Unreal

Install Passport plugin in your Unreal project

Initialize Passport

Create your auth configuration:
Create the API route handler:
Wrap your app with SessionProvider:
Set environment variables:
For full setup details including server utilities and route protection, see the Next.js integration guide.

Login

The useLogin hook provides embedded, popup, and redirect login flows. All functions accept an optional config; when omitted, sandbox defaults are used.

Embedded Login

Shows an in-page modal for login method selection — no popup window required:

Redirect Login

Direct Login Options

Skip the login method selection screen and go directly to a specific provider:

Handle the Callback

On your redirect URI page, process the authentication callback:
The CallbackPage component handles both redirect and popup flows automatically. For popup logins, it communicates tokens back to the parent window and closes itself.

Get User Information

User Profile

Session Management

Check If Logged In

Always use isAuthenticated from useImmutableSession to determine if a user is logged in.
Do not use !!session or status === 'authenticated' to check auth state. A session object can exist with expired or invalid tokens, and status does not account for token-level errors like RefreshTokenError.
isAuthenticated validates all of the following:
  1. NextAuth reports 'authenticated' status
  2. The session object exists
  3. A valid access token is present in the session
  4. No session-level error exists (such as RefreshTokenError)
It also handles transient states gracefully — during session refetches (window focus) or manual refreshes (after wallet registration via getUser(true)), isAuthenticated remains true if the user was previously authenticated, preventing UI flicker.

Get Access Token

For authenticated API calls to your backend:
getAccessToken() returns a guaranteed-fresh access token. If the current token is valid it returns immediately; if expired, it triggers a server-side refresh and blocks until the fresh token is available. Multiple concurrent calls share a single refresh request.

SWR Fetcher

Event Handler

Periodic Polling

Token Refresh

Automatic Refresh

The server-side JWT callback automatically refreshes tokens when the access token expires. This happens transparently during any session access.

Force Refresh

After operations that update user claims on the identity provider (such as zkEVM wallet registration), force a token refresh to get the updated data:

Get ID Token

The ID token contains user identity claims:
The ID token is not stored in the session cookie (to stay within CDN header size limits). Use getUser() to access it — the client persists it in localStorage automatically.

Logout

The useLogout hook performs federated logout — it clears both the local NextAuth session and the upstream Immutable/Auth0 session by redirecting to the logout endpoint. This is important when using social logins like Google: without federated logout, the auth server caches the social session, so users clicking “Login” again would be automatically logged in with the same account instead of being prompted to choose.
To customize the logout redirect URI:

Error Handling

Common Logout Issues: Example (TypeScript):

Backend JWT Validation

Validate Passport JWTs on your server to secure API endpoints.

Node.js with jose

Express Middleware

JWT Claims Reference

Error Handling

Handle authentication errors gracefully to provide better user experience:
Check the session error field for token-level issues and use try/catch around getAccessToken():

Common Error Types

Next Steps

Framework Setup

Integrate with Next.js, Vite, and other frameworks

Wallet Operations

Connect wallet, send transactions, and sign messages

Architecture

Understand the security model