apps/docs/content/sdk-examples/qwik.mdx
Qwik is a framework for building resumable web applications with instant-on interactivity and optimal performance. This example demonstrates how to integrate Zitadel using the OAuth 2.0 PKCE flow to authenticate users securely and maintain sessions across the app.
This example uses @auth/qwik, a Qwik adapter for @auth/core, a Qwik adapter for @auth/core (formerly Auth.js/NextAuth.js), which implements the OpenID Connect (OIDC), a Qwik adapter for @auth/core (formerly Auth.js/NextAuth.js), which implements the OpenID Connect (OIDC) flow, manages PKCE, performs token exchange, and exposes helpers for session state. The core library handles authentication across multiple frameworks and provides secure token storage with automatic token refresh, a Qwik adapter for @auth/core (formerly Auth.js/NextAuth.js), which implements the OpenID Connect (OIDC) flow, manages PKCE, performs token exchange, and exposes helpers for session state. The core library handles authentication across multiple frameworks and provides secure token storage with automatic token refresh capabilities.
This Qwik application showcases a complete authentication implementation using Zitadel application showcases a complete authentication implementation using Zitadel with the Authorization Code Flow with PKCE. The example includes secure sign-in functionality that redirects users to Zitadel's hosted login page, handles the OAuth callback to exchange authorization codes for access tokens, and manages sessions with JWT tokens application showcases a complete authentication implementation using Zitadel with the Authorization Code Flow with PKCE. The example includes secure sign-in functionality that redirects users to Zitadel's hosted login page, handles the OAuth callback to exchange authorization codes for access tokens, and manages sessions with JWT tokens stored in encrypted server-side cookies.
Route protection is implemented using Qwik City's onRequest handler, which performs server-side authentication checks before rendering protected pages. Unauthenticated users attempting to access secured routes are automatically redirected to the login page with a callback URL to return them to their intended destination after successful authentication. The application displays comprehensive user profile information including standard OIDC claims like name and email, as well as Zitadel-specific claims such as organization membership and project roles.
Sign-out functionality implements federated logout through Zitadel's end-session endpoint, ensuring that users are logged out from both the application and Zitadel's single sign-on session. The logout process includes CSRF protection using state parameters validated through secure cookies, followed by proper cleanup of session data and redirection back to the application.
Before running this example, you need to create and configure a PKCE application in the ZITADEL Management Console. Follow the PKCE application setup guide to:
http://localhost:3000/auth/callback/zitadel for development)http://localhost:3000/api/auth/logout/callback)Note: Make sure to enable Dev Mode in the ZITADEL Management Console if you're using HTTP URLs during local development. For production, always use HTTPS URLs and disable Dev Mode.
Once you have your Zitadel application configured:
.env.local file and configure it with the values from your Zitadel application:
VITE_PORT=3000
VITE_SESSION_SECRET=your-very-secret-and-strong-session-key
VITE_SESSION_DURATION=3600
VITE_ZITADEL_DOMAIN=https://your-instance.zitadel.cloud
VITE_ZITADEL_CLIENT_ID=your_client_id_from_console
VITE_ZITADEL_CLIENT_SECRET=your-randomly-generated-client-secret
VITE_ZITADEL_CALLBACK_URL=http://localhost:3000/auth/callback/zitadel
VITE_ZITADEL_POST_LOGOUT_URL=http://localhost:3000/api/auth/logout/callback
node -e "console.log(require('crypto').randomBytes(32).toString('hex'))")npm install
npm run dev
The application will be available at http://localhost:3000.