Skip to main content
The auth module handles authentication for the current end user. Use it to register and log in users, rotate tokens, and run password and email-verification flows.
These functions run as the end user — there is no API key and no actor user ID. signIn, signUp, and verifyExternalUser automatically store the returned tokens, and signOut clears them (see the auth section of the SDK overview).

signUp

Registers a new user and stores the returned tokens. 
const { user, accessToken, refreshToken } = await sublay.auth.signUp({
  email: "user@example.com",
  password: "s3cur3P@ss",
  name: "Alice",
  username: "alice",
});
email
string
required
The user’s email address.
password
string
required
The user’s plain-text password (hashed server-side).
name
string
Display name for the user.
username
string
Unique username for the user.
avatar
string
URL of the user’s avatar image.
bio
string
Short biography for the user.
location
{ latitude: number; longitude: number }
The user’s geographic location.
birthdate
string
The user’s birthdate as an ISO 8601 string.
metadata
Record<string, any>
Arbitrary key-value data attached to the user at creation time.
secureMetadata
Record<string, any>
Sensitive key-value data attached to the user, not exposed to clients.
ReturnsPromise<{ user: AuthUser; accessToken: string; refreshToken: string }>

signIn

Authenticates with email/password and stores the returned tokens. 
const { user, accessToken, refreshToken } = await sublay.auth.signIn({
  email: "user@example.com",
  password: "s3cur3P@ss",
});
email
string
required
The user’s email address.
password
string
required
The user’s password.
ReturnsPromise<{ user: AuthUser; accessToken: string; refreshToken: string }>

signOut

Signs the user out (revokes the refresh token) and clears stored tokens. 
await sublay.auth.signOut();
The whole argument is optional.
refreshToken
string
The refresh token to revoke. Defaults to the SDK’s stored refresh token.
ReturnsPromise<void>

verifyExternalUser

Exchanges a host-issued user JWT for Sublay tokens and stores them. Use this when your app manages its own auth. 
const { user, accessToken, refreshToken } = await sublay.auth.verifyExternalUser({
  userJwt: signedJwt,
});
userJwt
string
required
A JWT issued by your application, containing user identity claims.
ReturnsPromise<{ user: AuthUser; accessToken: string; refreshToken: string }>

requestNewAccessToken

Manually rotates the access token using a refresh token. Normally this is handled automatically on a 403 in SDK-managed mode. 
const { accessToken, refreshToken } = await sublay.auth.requestNewAccessToken();
The whole argument is optional.
refreshToken
string
The refresh token to exchange. Defaults to the SDK’s stored refresh token.
Persist the new refreshToken if one is present (token rotation), or use SDK-managed mode, which does this for you.
ReturnsPromise<{ accessToken: string; refreshToken?: string }>

requestPasswordReset

Sends a password-reset email. 
await sublay.auth.requestPasswordReset({ email: "user@example.com" });
email
string
required
The email address to send the reset link to.
ReturnsPromise<void>

resetPassword

Completes a password reset using a token from the email. 
await sublay.auth.resetPassword({
  token: resetToken,
  newPassword: "newS3cur3P@ss",
});
token
string
required
The reset token from the password reset email.
newPassword
string
required
The new password to set for the account.
ReturnsPromise<void>

changePassword

Changes the authenticated user’s password after verifying the current one. Use this for an authenticated “change password” flow, as opposed to the token-based resetPassword. 
const { success, message } = await sublay.auth.changePassword({
  password: "currentP@ss",
  newPassword: "newS3cur3P@ss",
});
password
string
required
The user’s current password (verified before the change).
newPassword
string
required
The new password to set.
ReturnsPromise<{ success: boolean; message: string }>

sendVerificationEmail

Sends (or re-sends) an email-verification message to the authenticated user, delivered as a code or a link. 
const { success } = await sublay.auth.sendVerificationEmail({
  mode: "code",
});
The whole argument is optional.
mode
"code" | "link"
"code" emails a short token the user enters; "link" emails a verification URL. Defaults to "code".
tokenFormat
"hex" | "numeric" | "alpha" | "alphanumeric"
Format of the generated token.
tokenLength
number
Length of the generated token.
redirectUrl
string
For mode: "link" — where to send the user after the link is verified.
ReturnsPromise<{ success: boolean }>

verifyEmail

Verifies a user’s email using a verification token. 
await sublay.auth.verifyEmail({ token: verificationToken });
token
string
required
The email verification token.
ReturnsPromise<void>

requestAccountDeletion

Starts self-service deletion of the authenticated user’s account by emailing them a one-time confirmation code (valid for 10 minutes). This does not delete anything on its own — pass the code to confirmAccountDeletion to finish. 
const { success } = await sublay.auth.requestAccountDeletion();
Only works for accounts with an email on file. Accounts without one (e.g. anonymous or foreign-id users) must be deleted server-side with a service key via @sublay/node. The request fails with auth/no-email-on-file otherwise. Takes no arguments. ReturnsPromise<{ success: boolean }>

confirmAccountDeletion

Verifies the emailed code and permanently deletes the authenticated user’s account. The cascade matches the service-key delete — entities and comments are kept as hollow shells; everything else owned by the user is removed. 
await sublay.auth.confirmAccountDeletion({ code: "048291" });
Deletion is immediate and irreversible. The user and their session tokens no longer exist after this resolves.
code
string
required
The one-time confirmation code from the deletion email.
ReturnsPromise<void>