OrthıD
Start free
Browse the docs
Get started

Quickstart

Go from zero to a verified sign-in in about five minutes. This guide is framework-agnostic; the steps are the same whether you ship Next.js, React, or a plain Node service.

You will create an OrthID project, copy your keys, install the SDK, point it at a region, sign a user in, and verify their session on the server. Once that round trip works, the framework quickstarts add the convenience layer (components, middleware, hooks) on top.

1. Create a project

Sign in to the OrthID dashboard and create a project. A project is the boundary for your users, organisations, keys, and audit log. Every project is pinned to a single home region that you choose at creation time.

2. Grab your keys

Open Settings → API keys. You will use two values:

  • A publishable key (pk_...) that is safe to ship to the browser. It identifies your project to the client SDKs.
  • A secret key (sk_...) that lives only on your server. It can verify sessions, mint agent credentials, and call the management API. Never expose it to the client.
Choosing a region
Pick the region closest to where your users and their data must live. OrthID never moves identity data out of its home region, so this choice is a data-residency decision, not just a latency one. Available regions are au-syd-1, au-mel-2, uk-lon-1, eu-fra-1, and us-chi-1. See Regions & sovereignty for the full picture.

3. Install the SDK

Install the core SDK. It works in any JavaScript or TypeScript runtime and is the foundation under the React and Next.js packages.

Terminal
npm install @orthid/sdk

4. Set your environment variables

Add your keys and region to a local .env file. The publishable key is prefixed so it can be exposed to client bundles; the secret key and region stay on the server.

.env
NEXT_PUBLIC_ORTHID_PUBLISHABLE_KEY=pk_live_your_publishable_key
ORTHID_SECRET_KEY=sk_live_your_secret_key
ORTHID_REGION=au-syd-1

5. Add a sign-in

The fastest way to authenticate a user is OrthID’s hosted sign-in. Redirect the browser to it, and OrthID handles passkeys, MFA, and SSO, then returns the user to your app with a session token.

sign-in.ts
import { orthid } from "@orthid/sdk";

// Build a hosted sign-in URL and send the browser there.
const url = orthid.signInUrl({
  redirectUrl: "https://app.example.com/welcome",
});

window.location.href = url;

6. Verify the session on the server

After sign-in, every request from the browser carries a session token (a JWT). On the server, verify it with the secret key before trusting it. A verified result gives you the session and the actor: who, or what, is making the request.

server.ts
import { orthid } from "@orthid/sdk";

export async function getActor(request: Request) {
  const token = request.headers
    .get("authorization")
    ?.replace("Bearer ", "");

  if (!token) return null;

  // Verifies the JWT signature, expiry, and region binding.
  const { session, actor } = await orthid.sessions.verify(token);

  // actor.type is "user" | "agent"; actor.id is the stable identifier.
  return { session, actor };
}
Note
orthid.sessions.verify()validates the token locally against your project’s signing keys, so it adds no network round trip on the hot path. It throws if the token is expired, tampered with, or issued for a different region.

Next steps

  • Next.js quickstart for App Router middleware, the provider, and server-side session reads.
  • React quickstart for the provider, hooks, and drop-in components.
  • Node quickstart for backend verification and protecting an Express API.
  • Core concepts to understand the three actors, sessions, and tokens that run through everything.