Authentication Flow

The Deva SDK handles user authentication automatically using OAuth 2.0, managing the entire lifecycle from login to token refresh without manual intervention.

Overview

Authentication in the Deva SDK follows a simple pattern:

Authentication Stages:

• Login - User authenticates with Deva account

• Session - Authenticated access to Deva platform

• Refresh - Automatic token renewal (background)

• Logout - Clean session termination

Authentication Lifecycle

1. Initial State

When your app starts, users are unauthenticated. The SDK checks for stored credentials and may restore a previous session automatically.

2. Login Process

When a user initiates login:

• SDK redirects to Deva's secure login page

• User authenticates with their Deva account

• SDK receives authentication tokens

• User information is fetched and stored

• App state updates to authenticated

Learn how to implement login

3. Authenticated Session

Once authenticated:

• User data is available via useDeva() hook

• Access tokens are included in API requests automatically

• SDK monitors token expiration

• Session persists across page refreshes

Understand token management

4. Automatic Token Refresh

Before tokens expire:

• SDK detects upcoming expiration

• Refresh token is used to obtain new access token

• Process happens in the background

• User experience is uninterrupted

Understand automatic token refresh

5. Logout

When a user logs out:

• Tokens are revoked on the server

• Local session data is cleared

• App state returns to unauthenticated

Learn about logout handling

How the SDK Manages Authentication

The DevaProvider component handles authentication automatically:

<DevaProvider clientId="..." redirectUri="..." env="...">
  {/* Authentication state available throughout your app */}
</DevaProvider>

What it manages:

• OAuth flow (PKCE) for secure authentication

• Token storage and retrieval

• Automatic token refresh

• Session persistence

• Error handling

Deep dive into OAuth

Access Authentication State

Use the useDeva() hook to access authentication information:

const { isAuthenticated, user, login, logout } = useDeva();

Available data:

• isAuthenticated - Whether user is logged in

• user - User profile information

• accessToken - Current access token

• login() - Initiate login flow

• logout() - End user session

Explore useDeva hook

Security Features

The SDK implements multiple security measures:

OAuth 2.0 + OIDC

• Industry-standard authentication protocol

• OpenID Connect for identity verification

PKCE (Proof Key for Code Exchange)

• Prevents authorization code interception

• Safe for browser-based applications

• No client secrets in frontend code

Automatic Token Management

• Short-lived access tokens (15 minutes)

• Secure refresh token rotation

• Server-side token revocation

Learn about OAuth security

Common Patterns

Protecting Routes

Check authentication status before rendering:

if (!isAuthenticated) {
  return <LoginPrompt />;
}

return <ProtectedContent />;

Loading States

Handle authentication initialization:

const { isReady, isAuthenticated } = useDeva();

if (!isReady) {
  return <Loading />;
}

Error Handling

Respond to authentication errors:

const { authError } = useDeva();

if (authError) {
  return <ErrorMessage error={authError} />;
}

Summary

The Deva SDK authentication flow:

1. Starts unauthenticated - Clean state on app load

2. User initiates login - Redirects to Deva SSO

3. OAuth exchange - Secure token retrieval

4. Session active - Full access to Deva platform

5. Auto-refresh - Seamless token renewal

6. Logout available - Clean session termination

Everything is handled automatically by the SDK - you only need to check authentication status and call login() or logout().

Learn More

• Deva SSO - Why use Deva authentication

• OAuth Integration - Technical implementation details

• Login Implementation - Add login to your app

• Token Management - How tokens work

• Session Persistence - Maintain user sessions