Web Widgets

Web Widgets are embeddable UI elements for common user management interactions including register, sign in, user settings and account recovery. The widgets are configurable to your needs.
Widgets are embedded elements that use iframes. Your app is required to add frame-src exception in content security policy if the domain of Authcore is not on the same origin domain.


The packages will be published to npm when v1.0 is released
Install via npm:
$ npm install authcore-js
Install via yarn:
$ yarn add authcore-js


User Registration

<!-- Element for the widget to be injected -->
<div id="authcore-register-container"></div>
let privateStore = {};
// Instantiate Register widget
new AuthCoreWidgets.Login({
container: 'authcore-register-container', // Id of the HTML element for the widget
root: '', // Authcore is hosted on the sub-domain of,
initialScreen: 'register', // Set initial screen to register
logo: 'default', // Default to show Authcore logo
company: 'Authcore',
successRedirectUrl: '',
analyticsHook: (type, data) => {
// type is a string describing the event. It is contained in the event list. All Authcore events are typed with prefix `Authcore_`.
// data is a object which is the associated data of an event. By default, if no data is associated, it will be a empty object `{}`.
// code for analytics

User Profile

<!-- Element for the widget to be injected -->
<div id="authcore-profile-container"></div>
// Instantiate Profile widget
new AuthCoreWidgets.Profile({
container: 'authcore-profile-container', // Id of the HTML element for the widget
root: '', // Authcore is hosted on the sub-domain of
callbacks: {
// Handle the unauthenticated case returns from the widget
unauthenticated: () => {};


Constructor Parameters

REQUIRED, string
The id of the HTML element where the widget will be rendered.
OPTIONAL, string
The domain where the Authcore widgets hosts, if it is not set it will refer to the window origin location with /widgets.
OPTIONAL, string
The logo shown in the widget. If no value is passed this section is hidden. Should be in absolute path format, also accept value "default" to serve as showcase of the widget style for Login widget.
OPTIONAL, string
The company name shown in the widget. If no value is passed this section is hidden.
REQUIRED except for Login or RefreshTokenwidget, string
The access token for API request requires authentication. This is done by using authorization code returned with successRedirectUrlfrom Login widget to get access token from create access token API.
OPTIONAL, string
The primary colour of the widget. Primary colour mainly consists of general button colour, link colour and border colour when the field box is in focus. Allow colour code, RGB colour value or named colour.
OPTIONAL, string
The success colour of the widget. Success colour mainly consists of verified message and icon. Allow colour code, RGB colour value or named colour.
OPTIONAL, string
The danger colour of the widget. Danger colour mainly consists of error message, button colour for destructive action (e.g. Remove contact) and invalid field box border. Allow colour code, RGB colour value or named colour.
OPTIONAL, boolean
The flag whether username is included in registration and sign in.
OPTIONAL, string
Widget language when it is loaded, default to be English when it is not set or the value is invalid or unavailable.
OPTIONAL, function
Callback hook after the certain action from widgets is success. Return the result including action as key in object format, use destructing assignment to get the data required.
OPTIONAL, function
Callback after the widgets is loaded and mounted to the site.
OPTIONAL, function
Hooks for analytics to recieve events. Two parameters describing the event are given for the hook, including type and data.
OPTIONAL, function
Callback when the widget returns unauthenticated error.
Action list for onSuccess callback:
Success callback is now DEPRECATED, use successRedirectUrl for registration or sign in flow.

Login Widgets

These widgets provides a simple UI widget for authenticating or registering users.


For register page, the field with Email or mobile label refer as contact field. For sign in page, the input field refer as handle field.
REQUIRED, string
The URL to be redirected with authorization code when registration or sign in flow is success.
OPTIONAL, string
The pre-fill contact(Register screen) or handle field value for Signin widget.
OPTIONAL, boolean
The flag indicates contact(Register screen) or handle field is fixed or not. If it is set to be fixed value should be provided on contact param, otherwise error will be throwed as it is impossible for user to sign in.
OPTIONAL, string
The flag indicates the initial screen, either register or signin, default to be signin.
OPTIONAL, string
The flag to decide position where social login pane should located, either topor bottom, default to be bottom.
OPTIONAL, string
The flag to decide option where social login pane in grid or list stye, either grid or list, default to be grid.
OPTIONAL, string
The flag to decide button size, either normal or large, default to be large.
For register as initialScreen:
When registration is completed, the screen will show loading spinner and redirect to successRedirectUrl set in widget instance.
For signin as initialScreen:
Social login pane list:
Normal button size:

User Widgets

Authcore provides some user widgets for updating a logged in user. These widgets require the accessToken parameter, which can be obtained from the access_token parameter from onSuccess callback in login widgets.


Show the settings of current login user, including password, 2-steps verification, devices (i.e. sessions) and social login sections.


Show the page to create Pass as 2-steps verification factor. It shows a QR code to be scanned for registration, once the process is successful it triggers onSuccess callback.
Follow the setting below to configure the page:
<!-- Element for the widget to be injected -->
<div id="authcore-pass-container"></div>
// Instantiate Pass widget
new AuthCoreWidgets.SettingPass({
container: 'authcore-pass-container', // Id of the HTML element for the widget
root: '', // Authcore is hosted on the sub-domain of
internal: true,
onSuccess: () => {
// Handle the case after the factor registration is successful.


We provide multiple events for analytics purpose. All events shown below are prefixed with Authcore_.
The events are show below:
Data (if any)
When a login widget (e.g. register / login) page is loaded
contactType: "email" / "phone"
When a user triggered register
service: "google" / "facebook" / "matters" / "twitter" / "apple"
When a user triggered oauth from social platform
method: "password"
When a user login using password
from/to: Page name("Register"/"SignIn")
When a user switch between register/sign in page within Login widget
Because of page reload in redirection, the widget cannot emit loginSuccess and registerSuccess events to the original page. Therefore, it is advised to record the success events manually in the redirected pages (from successRedirectUrl), and pages after signin.