MonoCloud Authentication SDK
    Preparing search index...

    Configuration options used to initialize the SDK client.

    Configuration values can be provided using either:

    • Constructor options - passed when creating the client instance.
    • Environment variables - using MONOCLOUD_AUTH_* variables.

    When both are provided, constructor options override environment variables.

    Environment Variable Description
    MONOCLOUD_AUTH_CLIENT_ID Unique identifier for your application/client.
    MONOCLOUD_AUTH_CLIENT_SECRET Application/client secret used for authentication.
    MONOCLOUD_AUTH_TENANT_DOMAIN The domain of your MonoCloud tenant (for example, https://your-tenant.us.monocloud.com).
    MONOCLOUD_AUTH_APP_URL The base URL where your application is hosted.
    MONOCLOUD_AUTH_COOKIE_SECRET A long, random string used to encrypt and sign session cookies.
    Environment Variable Description
    MONOCLOUD_AUTH_SCOPES Space-separated list of OIDC scopes to request (for example, openid profile email).
    MONOCLOUD_AUTH_RESOURCE Default resource (audience) identifier used when issuing access tokens.
    MONOCLOUD_AUTH_USE_PAR Enables Pushed Authorization Requests (PAR) for authorization flows.
    MONOCLOUD_AUTH_CLOCK_SKEW Allowed clock drift (in seconds) when validating token timestamps.
    MONOCLOUD_AUTH_CLOCK_TOLERANCE Additional time tolerance (in seconds) applied when validating time-based token claims.
    MONOCLOUD_AUTH_FEDERATED_SIGNOUT If true, signing out of the application also signs the user out of MonoCloud (SSO sign-out).
    MONOCLOUD_AUTH_RESPONSE_TIMEOUT Maximum time (in milliseconds) to wait for responses from the authentication service.
    MONOCLOUD_AUTH_ALLOW_QUERY_PARAM_OVERRIDES Allows authorization parameters (such as scope, resource, or prompt) to be overridden via URL query parameters.
    MONOCLOUD_AUTH_POST_LOGOUT_REDIRECT_URI URL users are redirected to after a successful logout.
    MONOCLOUD_AUTH_FETCH_USER_INFO Determines whether user profile data is fetched from the UserInfo endpoint after authorization.
    MONOCLOUD_AUTH_REFETCH_USER_INFO If true, user information is re-fetched on each userinfo request.
    MONOCLOUD_AUTH_REFETCH_STRICT_PROFILE_SYNC When true, the session user profile is fully replaced from the latest ID token (and UserInfo response, if applicable) instead of being merged with the existing profile.
    MONOCLOUD_AUTH_ID_TOKEN_SIGNING_ALG Expected signing algorithm for ID tokens (for example, RS256).
    MONOCLOUD_AUTH_FILTERED_ID_TOKEN_CLAIMS Space-separated list of ID token claims excluded from the session object.
    MONOCLOUD_AUTH_GROUPS_CLAIM Name of the claim in the user profile that holds group memberships, used as the default when evaluating group-based authorization. Defaults to groups.
    Environment Variable Description
    MONOCLOUD_AUTH_CALLBACK_URL Application path where the authorization server redirects the user after authentication.
    MONOCLOUD_AUTH_BACK_CHANNEL_LOGOUT_URL Application path that handles OpenID Connect back-channel logout requests initiated by MonoCloud.
    MONOCLOUD_AUTH_SIGNIN_URL Internal route used to initiate the sign-in flow.
    MONOCLOUD_AUTH_SIGNOUT_URL Internal route used to initiate the sign-out flow.
    MONOCLOUD_AUTH_USER_INFO_URL Route that exposes the authenticated user’s profile retrieved from the UserInfo endpoint.
    Environment Variable Description
    MONOCLOUD_AUTH_SESSION_COOKIE_NAME Name of the cookie used to store the authenticated user session.
    MONOCLOUD_AUTH_SESSION_COOKIE_PATH Path scope for which the session cookie is valid.
    MONOCLOUD_AUTH_SESSION_COOKIE_DOMAIN Domain scope for which the session cookie is valid.
    MONOCLOUD_AUTH_SESSION_COOKIE_HTTP_ONLY Prevents client-side scripts from accessing the session cookie.
    MONOCLOUD_AUTH_SESSION_COOKIE_SECURE Ensures the session cookie is only sent over HTTPS connections.
    MONOCLOUD_AUTH_SESSION_COOKIE_SAME_SITE SameSite policy applied to the session cookie (lax, strict, or none).
    MONOCLOUD_AUTH_SESSION_COOKIE_PERSISTENT Determines whether the session cookie persists across browser restarts.
    MONOCLOUD_AUTH_SESSION_SLIDING Enables sliding session expiration instead of absolute expiration.
    MONOCLOUD_AUTH_SESSION_DURATION Session lifetime in seconds.
    MONOCLOUD_AUTH_SESSION_MAX_DURATION Maximum allowed lifetime of a sliding session in seconds.
    Environment Variable Description
    MONOCLOUD_AUTH_STATE_COOKIE_NAME Name of the cookie used to store OpenID Connect state and nonce values during authentication.
    MONOCLOUD_AUTH_STATE_COOKIE_PATH Path scope for which the state cookie is valid.
    MONOCLOUD_AUTH_STATE_COOKIE_DOMAIN Domain scope for which the state cookie is valid.
    MONOCLOUD_AUTH_STATE_COOKIE_SECURE Ensures the state cookie is only sent over HTTPS connections.
    MONOCLOUD_AUTH_STATE_COOKIE_SAME_SITE SameSite policy applied to the state cookie (lax, strict, or none).
    MONOCLOUD_AUTH_STATE_COOKIE_PERSISTENT Determines whether the state cookie persists beyond the current browser session.
    Environment Variable Description
    MONOCLOUD_AUTH_JWKS_CACHE_DURATION Duration (in seconds) to cache the JSON Web Key Set (JWKS) used to verify tokens.
    MONOCLOUD_AUTH_METADATA_CACHE_DURATION Duration (in seconds) to cache the OpenID Connect discovery metadata.
    Environment Variable Description
    DEBUG Standard debug namespace filter that enables the SDK's internal debug logging. Set to the client's debug namespace (node-auth-core by default) or a wildcard such as *.
    interface MonoCloudOptions {
        allowQueryParamOverrides?: boolean;
        appUrl?: string;
        clientId?: string;
        clientSecret?: string;
        clockSkew?: number;
        clockTolerance?: number;
        cookieSecret?: string;
        debugger?: string;
        defaultAuthParams?: AuthorizationParams;
        federatedSignOut?: boolean;
        fetchUserInfo?: boolean;
        filteredIdTokenClaims?: string[];
        groupsClaim?: string;
        idTokenSigningAlg?: SecurityAlgorithms;
        jwksCacheDuration?: number;
        metadataCacheDuration?: number;
        onBackChannelLogout?: OnBackChannelLogout;
        onSessionCreating?: OnSessionCreating;
        onSetApplicationState?: OnSetApplicationState;
        postLogoutRedirectUri?: string;
        refetchUserInfo?: boolean;
        resources?: Indicator[];
        responseTimeout?: number;
        routes?: Partial<MonoCloudRoutes>;
        session?: MonoCloudSessionOptions;
        state?: MonoCloudStatePartialOptions;
        strictProfileSync?: boolean;
        tenantDomain?: string;
        usePar?: boolean;
        userAgent?: string;
    }

    Hierarchy

    • Partial<
          Omit<
              MonoCloudOptionsBase,
              "defaultAuthParams"
              | "session"
              | "routes"
              | "state",
          >,
      >
      • MonoCloudOptions
    Index

    Properties

    allowQueryParamOverrides?: boolean

    Allows authorization parameters to be overridden using query parameters.

    When disabled, parameters such as scope, resource, prompt, and login_hint present in the request URL are ignored and cannot modify the authentication request.

    false
    
    appUrl?: string

    Base URL where the application is hosted.

    Used to construct redirect URLs and validate requests.

    clientId?: string

    Client identifier of the application registered in MonoCloud.

    clientSecret?: string

    Optional client secret used for confidential clients.

    clockSkew?: number

    Allowed clock skew (in seconds) when validating token timestamps.

    0 (seconds)
    
    clockTolerance?: number

    Additional time tolerance (in seconds) applied when validating time-based token claims (such as exp and nbf).

    60 (seconds)
    
    cookieSecret?: string

    Secret used to encrypt and sign authentication cookies. This value should be long, random, and kept private.

    debugger?: string

    Identifier used for internal debugging/logging.

    defaultAuthParams?: AuthorizationParams

    Default authorization parameters automatically included in authentication requests unless explicitly overridden.

    {
    * scope: 'openid email profile',
    * response_type: 'code'
    * }
    federatedSignOut?: boolean

    When true, signing out also logs the user out of MonoCloud (Single Sign-Out).

    true
    
    fetchUserInfo?: boolean

    Fetch user profile data from the UserInfo endpoint after authentication completes.

    true
    
    filteredIdTokenClaims?: string[]

    List of ID token claims that should be removed before storing data in the session.

    groupsClaim?: string

    Name of the claim in the user profile that holds group memberships, used as the default when evaluating group-based authorization.

    'groups'
    
    idTokenSigningAlg?: SecurityAlgorithms

    Expected signing algorithm for ID tokens.

    'RS256'
    
    jwksCacheDuration?: number

    Duration (in seconds) to cache the JWKS document.

    300
    
    metadataCacheDuration?: number

    Duration (in seconds) to cache OpenID discovery metadata.

    300
    
    onBackChannelLogout?: OnBackChannelLogout

    Invoked when a back-channel logout request is received.

    onSessionCreating?: OnSessionCreating

    Invoked before a session is created or updated. Can be used to modify session data or attach custom fields.

    onSetApplicationState?: OnSetApplicationState

    Invoked before authentication begins to attach custom application state.

    postLogoutRedirectUri?: string

    URL to redirect users to after logout completes.

    refetchUserInfo?: boolean

    Refetch user profile data whenever the application's UserInfo endpoint is invoked.

    false
    
    resources?: Indicator[]

    Optional resource indicators available when requesting tokens via getTokens().

    responseTimeout?: number

    Maximum time (in milliseconds) to wait for responses from the MonoCloud authorization server.

    10000 (10 seconds)
    
    routes?: Partial<MonoCloudRoutes>

    Overrides for built-in authentication route paths.

    Session configuration overrides.

    Configuration for authentication state handling.

    strictProfileSync?: boolean

    Determines how user profile is updated when the session is updated.

    When enabled, the session user profile is fully replaced with a newly constructed profile derived from the latest ID token and, if applicable, the UserInfo response.

    false
    
    tenantDomain?: string

    MonoCloud tenant domain (for example, https://your-tenant.us.monocloud.com).

    usePar?: boolean

    Enables Pushed Authorization Requests (PAR).

    When enabled, authorization parameters are sent securely via the PAR endpoint instead of the browser.

    false
    
    userAgent?: string

    Custom User-Agent value sent with requests to MonoCloud.