API Route Handlers
The ZewstID SDK provides pre-built API route handlers for all authentication methods. These handlers integrate with NextAuth and automatically establish SSO sessions.
Quick Setup
Create a single file to handle all authentication endpoints:
// app/api/zewstid/[...zewstid]/route.ts import { createZewstIDHandlers } from '@zewstid/nextjs/handlers'; const handlers = createZewstIDHandlers({ clientId: process.env.ZEWSTID_CLIENT_ID!, clientSecret: process.env.ZEWSTID_CLIENT_SECRET!, }); export const GET = handlers.GET; export const POST = handlers.POST;
This creates all these endpoints automatically:
| Endpoint | Method | Description |
|---|---|---|
/api/zewstid/check-email?email=... | GET | Check if user exists |
/api/zewstid/methods | POST | Get available auth methods for user |
/api/zewstid/password | POST | Password authentication |
/api/zewstid/otp/send | POST | Send OTP code via email |
/api/zewstid/otp/verify | POST | Verify OTP code |
/api/zewstid/magic-link/send | POST | Send magic link email |
/api/zewstid/magic-link/verify | POST | Verify magic link token |
/api/zewstid/mfa/verify | POST | Verify MFA/TOTP code |
/api/zewstid/establish-sso | GET | Establish SSO session |
Configuration Options
createZewstIDHandlers({ // Required clientId: process.env.ZEWSTID_CLIENT_ID!, // Optional - Client secret (required for confidential clients) clientSecret: process.env.ZEWSTID_CLIENT_SECRET, // Optional - Your app's base URL (defaults to NEXTAUTH_URL) baseUrl: process.env.NEXTAUTH_URL, // Optional - ZewstID API URL (defaults to https://api.zewstid.com) apiUrl: 'https://api.zewstid.com', // Optional - ZewstID Auth URL (defaults to https://auth.zewstid.com/realms/zewstid) issuerUrl: 'https://auth.zewstid.com/realms/zewstid', // Optional - NextAuth secret (defaults to NEXTAUTH_SECRET env var) nextAuthSecret: process.env.NEXTAUTH_SECRET, // Optional - Enable/disable SSO establishment (default: true) enableSSOEstablishment: true, });
Endpoint Details
Check Email
Check if a user exists in ZewstID.
Request:
POST /api/zewstid/check-email Content-Type: application/json { "email": "user@example.com" }
Response:
{ "exists": true, "userId": "abc123" }
Get Auth Methods
Get available authentication methods for a user.
Request:
POST /api/zewstid/methods Content-Type: application/json { "email": "user@example.com" }
Response:
{ "methods": { "password": true, "otp": true, "magicLink": true, "passkey": false, "push": false }, "mfa": { "enabled": true, "totp": true, "push": false }, "userId": "abc123" }
Password Authentication
Authenticate with email and password.
Request:
POST /api/zewstid/password Content-Type: application/json { "email": "user@example.com", "password": "SecurePassword123!" }
Success Response:
{ "success": true, "redirectUrl": "/api/zewstid/establish-sso?callbackUrl=/dashboard", "user": { "email": "user@example.com", "name": "John Doe" } }
MFA Required Response:
{ "success": true, "mfaRequired": true, "mfaSessionId": "mfa_session_abc123", "redirectUrl": null }
Send OTP
Send a one-time password via email.
Request:
POST /api/zewstid/otp/send Content-Type: application/json { "email": "user@example.com" }
Response:
{ "success": true, "message": "OTP sent" }
Verify OTP
Verify a one-time password.
Request:
POST /api/zewstid/otp/verify Content-Type: application/json { "email": "user@example.com", "code": "123456" }
Response:
{ "success": true, "redirectUrl": "/api/zewstid/establish-sso?callbackUrl=/dashboard", "user": { "email": "user@example.com", "name": "John Doe" } }
Send Magic Link
Send a magic link email.
Request:
POST /api/zewstid/magic-link/send Content-Type: application/json { "email": "user@example.com", "callbackUrl": "/dashboard" }
Response:
{ "success": true, "message": "Magic link sent" }
Verify Magic Link
Verify a magic link token.
Request:
POST /api/zewstid/magic-link/verify Content-Type: application/json { "token": "magic_link_token_abc123" }
Response:
{ "success": true, "redirectUrl": "/api/zewstid/establish-sso?callbackUrl=/dashboard", "user": { "email": "user@example.com", "name": "John Doe" } }
Verify MFA
Verify a TOTP code for MFA.
Request:
POST /api/zewstid/mfa/verify Content-Type: application/json { "mfaSessionId": "mfa_session_abc123", "method": "totp", "code": "123456" }
Response:
{ "verified": true, "redirectUrl": "/api/zewstid/establish-sso?callbackUrl=/dashboard", "user": { "email": "user@example.com", "name": "John Doe" } }
Establish SSO
Redirects to establish a ZewstID SSO session. This endpoint is called automatically after successful authentication.
Request:
GET /api/zewstid/establish-sso?callbackUrl=/dashboard
This endpoint:
- Reads the ID token from a cookie set during authentication
- Redirects to the client-side SSO establishment page
- The client page calls NextAuth's with
signIn()andprompt=noneid_token_hint - ZewstID establishes the SSO session without requiring re-authentication
- User is redirected to the callback URL
SSO Flow
After successful direct authentication (password, OTP, magic link), the SDK automatically establishes a ZewstID SSO session:
1. User authenticates via password/OTP/magic-link 2. API returns tokens + sets id_token cookie 3. Client redirects to /api/zewstid/establish-sso 4. establish-sso redirects to /establish-sso page 5. Client page calls signIn('zewstid', {}, { prompt: 'none', id_token_hint }) 6. ZewstID validates token and sets SSO cookie 7. User is redirected to callback URL 8. User is now signed in with full SSO
This enables:
- Cross-Portal SSO: Sign in once, access all connected apps
- Silent Authentication: Navigate between apps without re-authenticating
- Session Sharing: All ZewstID apps share the same session
Error Handling
All endpoints return consistent error responses:
{ "error": "error_code", "error_description": "Human-readable error message" }
Common error codes:
- - Missing required fields
invalid_request - - Wrong email/password
invalid_credentials - - Email not registered
user_not_found - - Wrong OTP or MFA code
invalid_code - - Magic link or session expired
expired_token - - Too many requests
rate_limited
Using with SignIn Components
The handlers work seamlessly with the SDK's SignIn components:
// app/signin/page.tsx import { SignIn } from '@zewstid/nextjs'; export default function SignInPage() { return ( <SignIn apiBasePath="/api/zewstid" // Points to your handlers callbackUrl="/dashboard" /> ); }
The SignIn component automatically calls the correct handler endpoints.
Custom API Path
If you need a different API path:
// app/api/auth/zewst/[...path]/route.ts import { createZewstIDHandlers } from '@zewstid/nextjs/handlers'; const handlers = createZewstIDHandlers({ clientId: process.env.ZEWSTID_CLIENT_ID!, }); export const GET = handlers.GET; export const POST = handlers.POST;
Then update your SignIn component:
<SignIn apiBasePath="/api/auth/zewst" />
Related
- SignIn Components - Pre-built UI components
- Authentication Methods - All auth method APIs
- Troubleshooting - Common issues
Was this page helpful?
Let us know how we can improve our documentation