Auth

The Auth component lets you create centralized auth servers on AWS. It deploys OpenAuth to AWS Lambda and uses Amazon DynamoDB for storage.

Note

Auth and OpenAuth are currently in beta.

Create a Auth server

sst.config.ts

const auth = new sst.aws.Auth("MyAuth", {
  authorizer: "src/auth.handler"
});

Add a custom domain

Set a custom domain for your Auth server.

sst.config.ts

new sst.aws.Auth("MyAuth", {
  authorizer: "src/auth.handler",
  domain: "auth.example.com"
});

---

Constructor

new Auth(name, args, opts?)

Parameters

• name string

• args AuthArgs

• opts? ComponentResourceOptions

AuthArgs

authorizer

Type Input<string | FunctionArgs>

The authorizer function.

{
  authorizer: "src/auth.handler"
}

domain?

Type Input<string | Object>

• aliases?

• cert?

• dns?

• name

• redirects?

Set a custom domain for your Auth server.

Automatically manages domains hosted on AWS Route 53, Cloudflare, and Vercel. For other providers, you’ll need to pass in a cert that validates domain ownership and add the DNS records.

Tip

Built-in support for AWS Route 53, Cloudflare, and Vercel. And manual setup for other providers.

By default this assumes the domain is hosted on Route 53.

{
  domain: "auth.example.com"
}

For domains hosted on Cloudflare.

{
  domain: {
    name: "auth.example.com",
    dns: sst.cloudflare.dns()
  }
}

domain.aliases?

Type Input<string[]>

Alias domains that should be used. Unlike the redirect option, this keeps your visitors on this alias domain.

So if your users visit app2.domain.com, they will stay on app2.domain.com in their browser.

{
  domain: {
    name: "app1.domain.com",
    aliases: ["app2.domain.com"]
  }
}

domain.cert?

Type Input<string>

The ARN of an ACM (AWS Certificate Manager) certificate that proves ownership of the domain. By default, a certificate is created and validated automatically.

The certificate will be created in the us-east-1 region as required by AWS CloudFront. If you are creating your own certificate, you must also create it in us-east-1.

Tip

You need to pass in a cert for domains that are not hosted on supported dns providers.

To manually set up a domain on an unsupported provider, you’ll need to:

1. Validate that you own the domain by creating an ACM certificate. You can either validate it by setting a DNS record or by verifying an email sent to the domain owner.
2. Once validated, set the certificate ARN as the cert and set dns to false.
3. Add the DNS records in your provider to point to the CloudFront distribution URL.

{
  domain: {
    name: "domain.com",
    dns: false,
    cert: "arn:aws:acm:us-east-1:112233445566:certificate/3a958790-8878-4cdc-a396-06d95064cf63"
  }
}

domain.dns?

Type Input<false | sst.aws.dns | sst.cloudflare.dns | sst.vercel.dns>

Default sst.aws.dns

The DNS provider to use for the domain. Defaults to the AWS.

Takes an adapter that can create the DNS records on the provider. This can automate validating the domain and setting up the DNS routing.

Supports Route 53, Cloudflare, and Vercel adapters. For other providers, you’ll need to set dns to false and pass in a certificate validating ownership via cert.

Specify the hosted zone ID for the Route 53 domain.

{
  domain: {
    name: "example.com",
    dns: sst.aws.dns({
      zone: "Z2FDTNDATAQYW2"
    })
  }
}

Use a domain hosted on Cloudflare, needs the Cloudflare provider.

{
  domain: {
    name: "example.com",
    dns: sst.cloudflare.dns()
  }
}

Use a domain hosted on Vercel, needs the Vercel provider.

{
  domain: {
    name: "example.com",
    dns: sst.vercel.dns()
  }
}

domain.name

Type Input<string>

The custom domain you want to use.

{
  domain: {
    name: "example.com"
  }
}

Can also include subdomains based on the current stage.

{
  domain: {
    name: `${$app.stage}.example.com`
  }
}

domain.redirects?

Type Input<string[]>

Alternate domains to be used. Visitors to the alternate domains will be redirected to the main name.

Note

Unlike the aliases option, this will redirect visitors back to the main name.

Use this to create a www. version of your domain and redirect visitors to the apex domain.

{
  domain: {
    name: "domain.com",
    redirects: ["www.domain.com"]
  }
}

forceUpgrade?

Type “v2”

Force upgrade from Auth.v1 to the latest Auth version. The only valid value is v2, which is the version of the new Auth.

The latest Auth is powered by OpenAuth. To upgrade, add the prop.

{
  forceUpgrade: "v2"
}

Run sst deploy.

Tip

You can remove this prop after you upgrade.

This upgrades your component and the resources it created. You can now optionally remove the prop.

Properties

nodes

Type Object

• authorizer

• router

• table

The underlying resources this component creates.

nodes.authorizer

Type Output<Function>

The Function component for the authorizer.

nodes.router

Type undefined | Router

The Router component for the custom domain.

nodes.table

Type Dynamo

The DynamoDB component.

url

Type Output<string>

The URL of the Auth component.

If the domain is set, this is the URL with the custom domain. Otherwise, it’s the autogenerated function URL for the authorizer.

SDK

Use the SDK in your runtime to interact with your infrastructure.

---

Links

This is accessible through the Resource object in the SDK.

• url string

  The URL of the Auth component.

  If the domain is set, this is the URL with the custom domain. Otherwise, it’s the autogenerated function URL for the authorizer.