Skip to main content

Migrating to
@zewstid/id-*

Audience: anyone who imports

@zewstid/nextjs
,
@zewstid/node
,
@zewstid/react
,
@zewstid/react-native
, or
@zewstid/events
. Effort: 5 minutes per project.

In May 2026, the runtime SDKs were renamed with an

id-
product prefix to free the unprefixed names for future product SDKs (
@zewstid/cal-*
,
@zewstid/mail-*
,
@zewstid/profile-*
). They were also moved to npmjs.com as private (org-restricted) packages.

OldNew
@zewstid/nextjs
@zewstid/id-nextjs
@zewstid/node
@zewstid/id-node
@zewstid/react
@zewstid/id-react
@zewstid/react-native
@zewstid/id-react-native
@zewstid/events
@zewstid/id-events

No API changes. Imports keep working with a one-line rename in

package.json
.

The 3-step migration

Step 1 — Authenticate with npm

These packages are private to the

@zewstid
org on npmjs.com. You need to be added to the org and logged in.

# One-time per machine
npm login --scope=@zewstid --registry=https://registry.npmjs.org/

For CI / automation, set

NPM_TOKEN
in your secrets and create a project
.npmrc
:

//registry.npmjs.org/:_authToken=${NPM_TOKEN}

Heads-up: if you've previously been authenticating against

npm.zewstid.com
(the private Verdaccio), you can drop that. The new packages live on the public registry but are gated by org membership.

Step 2 — Update
package.json

Replace the dep names. No version bump required — the new packages continue the same version line:

  "dependencies": {
-   "@zewstid/nextjs": "^0.9.7",
+   "@zewstid/id-nextjs": "^0.9.7",
-   "@zewstid/events": "^0.1.0"
+   "@zewstid/id-events": "^0.1.0"
  }

If you're on an old version (

^0.9.0
,
^0.7.1
, etc.), bump to the latest while you're in the file — see the SDK changelog.

Step 3 — Reinstall

rm -rf node_modules package-lock.json
npm install

That's it. Imports inside your codebase don't change —

@zewstid/id-nextjs
exports the same names (
createZewstIDAuth
,
EmbeddedSignIn
,
UserButton
, etc.).

What you get along with the rename

The rename shipped with two substantial new features. They're already in the new packages — just adopt at your own pace.

1. User-scoped API keys

Your app can now issue API keys to its end users via ZewstID instead of building your own key infrastructure.

// Server-side — issue a key for the signed-in user
import { getServerSession } from 'next-auth/next';
import { getUserApiKeysClient } from '@zewstid/id-nextjs/server';

export async function POST(req: Request) {
  const session = await getServerSession(authOptions);
  const { name, scopes } = await req.json();

  const keys = getUserApiKeysClient();
  const { apiKey } = await keys.create({
    forUserSub: session.user.zewstIdSub,
    name,
    scopes,
    expiresInDays: 90,
  });
  // apiKey.key is shown ONCE — return to client, then drop.
  return Response.json({ apiKey });
}

Drop-in client-side UI:

'use client';
import { ZewstIDApiKeysManager } from '@zewstid/id-nextjs';

export default function ApiKeysSettings() {
  return (
    <ZewstIDApiKeysManager
      endpoints={{ list: '/api/me/api-keys', create: '/api/me/api-keys', revoke: (id) => `/api/me/api-keys/${id}` }}
      availableScopes={[
        { value: 'cal:read',  label: 'Read calendar events' },
        { value: 'cal:write', label: 'Manage calendar events' },
      ]}
    />
  );
}

Full guide: User-scoped API keys.

2. Standards-based OIDC discovery

Standard OIDC client libraries (NextAuth's

KeycloakProvider
, jose, oauth2-proxy, AWS Cognito federation, AWS API Gateway JWT authorizer) auto-discover everything from one URL:

https://api.zewstid.com/.well-known/openid-configuration

No more hardcoding endpoint paths or hunting through Keycloak realm URLs. The auto-discovery doc advertises the clean

/oauth/{authorize,token,introspect,revoke,userinfo,logout}
aliases. Token verifiers point at
https://api.zewstid.com/.well-known/jwks.json
.

If you currently hardcode endpoints in your app, you can replace them with discovery — see the OIDC Discovery guide.

Troubleshooting

npm install
returns
404 Not Found

You're not authenticated to the

@zewstid
org. Run
npm whoami --registry=https://registry.npmjs.org/
— if it errors, run
npm login --scope=@zewstid
and retry.

403 Forbidden
instead of 404

You're authenticated but your account isn't a member of the

@zewstid
org with read access. Ask an org admin to add you (npmjs.com → Organizations → @zewstid → Members).

CI build fails with auth error

Make sure your CI's

.npmrc
references
${NPM_TOKEN}
and that the token is set as a CI secret. The token must be from an account with
@zewstid
org read access. Tokens are created at https://www.npmjs.com/settings/<your-account>/tokens.

Old
@zewstid/nextjs
still resolves on
npm install

If you didn't delete

package-lock.json
before reinstalling, npm may have kept the old resolution. Run:

rm -rf node_modules package-lock.json
npm install

Mixing old and new in the same project

Don't. The old packages on Verdaccio (

npm.zewstid.com
) are now legacy and won't get fixes. Pick a migration window and move all
@zewstid/*
deps to
@zewstid/id-*
together.

See also

Was this page helpful?

Let us know how we can improve our documentation