SvelteKit quickstart
Add Wocha authentication to a SvelteKit app using @wocha/sveltekit with the BFF (Backend-for-Frontend) pattern.
Add Wocha authentication to a SvelteKit app using @wocha/sveltekit with the BFF (Backend-for-Frontend) pattern. Token exchange runs on the server; sessions are stored in encrypted httpOnly cookies.
Prerequisites
- Node.js 18+
- SvelteKit 2+ project
- A Wocha project with a confidential OAuth application (Wocha Console)
- Redirect URI registered:
http://localhost:5173/auth/callback
What you'll build
A SvelteKit app with server-side OAuth routes, encrypted cookies, and client stores for sign-in state.
Welcome back
After sign-in
✓ Session stored securely
✓ User profile available in your app
✓ Organisation context ready for multi-tenant features
Installation
pnpm add @wocha/sveltekitnpx @wocha/cli init --framework sveltekitPeer dependencies: @sveltejs/kit ^2.0, Svelte 4 or 5.
Environment variables
Create .env:
Auth route handler
Create src/routes/auth/[...wocha]/+server.ts:
This exposes:
| Route | Purpose |
|---|---|
GET /auth/login | Start OAuth login |
GET /auth/callback | OAuth callback — sets session cookie |
GET /auth/logout | End session |
GET /auth/session | Public session JSON for client stores |
POST /auth/switch-org | Switch active organisation |
Route protection hook
Add to src/hooks.server.ts:
Unauthenticated requests to protected routes redirect to /auth/login?return_to=….
Client stores and components
Use stores in your Svelte pages:
Conditional rendering with components:
Server-side session access
Use helpers in +page.server.ts:
Testing the integration
-
Start the dev server:
-
Visit http://localhost:5173 and click Sign in.
-
Complete login on the hosted auth UI.
-
Confirm you return with an active session — check
$userin the browser or callGET /auth/session. -
Visit a protected route (not in
publicPaths) while signed out — you should be redirected to/auth/login.
Next steps
- SDK reference — hooks, server helpers, and configuration options
- Webhooks overview — receive user and session lifecycle events
- Common patterns — protect routes, org switching, and role-based UI