Auth H3 Client

Essentials

Core concepts covering session management, route protection, CSRF, token rotation, authentication flows, OAuth, bot detection, cookies, and logging.

The essentials section covers every subsystem that the module provides at the gateway layer. Each page focuses on one area of the integration: how it works, what the relevant functions are, and how to wire them into your H3, Nitro, or Nuxt application.

For MFA, password reset, and email change flows, see the dedicated MFA section.

For Nuxt/Vue Composables see the Client-Side section

Session Management

How useAuthData populates auth state during SSR, hydrates on the client, and exposes MFA challenges.

Route Protection

Event handler wrappers that enforce authentication, CSRF, and method requirements at the route definition level.

CSRF Protection

How the signed CSRF cookie is issued and verified, and how the client composables inject the token on every state-changing request.

Auth Flows

The built-in login, signup, and logout controllers, the routes they register, and how token cookies are set on the response.

OAuth and OIDC

Provider configuration, the authorization redirect, the callback exchange, PKCE, ID token verification, and at_hash validation.

Bot Detection

IP validation, bot detection middleware, the check endpoint integration, and firewall-level banning.

Cookie names, security attributes, how signed cookies work, and the makeCookie utility.

Logging

The HTTP request logger, the pino logger instance, log levels.

Nuxt Module

Session Management