Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.alterauth.com/llms.txt

Use this file to discover all available pages before exploring further.

Session Tokens

Session tokens are temporary credentials that authorize Alter Connect without exposing API keys.

Token Properties

PropertyDescriptionDefault
LifetimeHow long token is valid10 minutes
Single useCan only create one connectionNo
IP restrictedLocked to user’s IPOptional
Provider listWhich providers to showAll configured (if omitted)

Creating Secure Sessions

Always create sessions on the backend: 
// YOUR backend - never expose API keys
const session = await vault.createConnectSession({
  allowedProviders: ['google', 'slack'],
  allowedOrigin: 'https://yourapp.com',  // Optional, see below
});
// Pass session.sessionToken to your frontend

Understanding allowed_origin

The allowed_origin parameter controls postMessage security for desktop popup flows:
ScenarioWhat to PassExample
Single domainOmit field (uses website_url from Developer Portal)Configure in Portal
Multiple environmentsPass specific origin'https://staging.myapp.com'
Local developmentPass localhost'http://localhost:3000'
Headless / CLI / server-to-serverOmit fieldFlow completes; user closes tab manually
Wildcard * is NOT supported. To allow any origin, omit the field or pass null — the system uses website_url from the Developer Portal as a fallback. If neither is set, the OAuth flow still completes but the popup will not auto-close or notify the parent window.
Valid origin formats:
  • https://myapp.com
  • http://localhost:3000
  • ⚠️ https://myapp.com/ (trailing slash auto-removed)
  • https://myapp.com/path (no path)
  • * (wildcard not supported)

Configuration

const alterConnect = AlterConnect.create({
  debug: true  // Enable console logging (default: false)
});
OptionTypeDescription
debugbooleanEnable console logs
Visual customization (colors, fonts, logo) is configured via the Developer Portal branding settings. The backend-served Connect UI applies the branding automatically. See Branding & Customization below for details.

Open Options

Configure the widget when opening: 
await alterConnect.open({
  // Required
  token: sessionToken,             // From your backend
  onSuccess: (connections) => {}, // Called with array of Connection objects

  // Optional
  onError: (error) => {},        // Error callback
  onExit: () => {},              // Called when user closes without connecting
  onEvent: (name, meta) => {},   // Analytics events
});

Connections Array

onSuccess receives an array of Connection objects (multi-provider flow). Users can connect multiple providers in a single session. 
interface Connection {
  grant_id: string;           // Unique ID for this grant
  provider: string;            // Provider ID (e.g., 'google')
  provider_name: string;       // Display name (e.g., 'Google')
  account_identifier: string;  // User's email/username
  timestamp: string;           // ISO 8601 timestamp
  operation: 'creation' | 'reauth';  // How the grant was established
  scopes: string[];           // OAuth scopes granted
  status: 'active' | 'pending' | 'error';
  metadata?: {                // Optional provider-specific data
    account_display_name?: string;
    account_email?: string;
  };
}

Error Handling

Handle errors gracefully: 
await alterConnect.open({
  token: sessionToken,
  onSuccess: (connections) => {
    // User completed OAuth! Save each grant_id to your database, mapped to your user.
    for (const conn of connections) {
      saveConnection(currentUser.id, conn.grant_id, conn.provider);
    }
  },
  onError: (error) => {
    console.error('Connection failed:', error);

    switch(error.code) {
      case 'popup_blocked':
        // Browser blocked the popup
        alert('Please allow popups for this site');
        break;
      case 'oauth_error':
        // OAuth provider issue
        alert('Provider error. Please try again.');
        break;
      case 'network_error':
        // Could not reach Alter API
        alert('Network error. Please check your connection.');
        break;
      case 'timeout':
        // Request timed out
        alert('Request timed out. Please try again.');
        break;
      default:
        alert('Connection failed. Please try again.');
    }
  }
});

Browser Support

BrowserMinimum Version
Chrome/Edge90+
Firefox88+
Safari14+
iOS Safari14+
Chrome MobileLatest

Content Security Policy

If the application uses a Content Security Policy, the Alter Connect domain must be allowed. Check the Developer Portal for the exact domain to add to the frame-src and connect-src directives.

TypeScript

Full TypeScript support included: 
import AlterConnect, {
  AlterConnectConfig,
  OpenOptions,
  Connection,
  AlterError
} from '@alter-ai/connect';

const config: AlterConnectConfig = {
  debug: true
};

const alterConnect = AlterConnect.create(config);

Methods

AlterConnect.create(config?)

Create an instance with optional configuration.

alterConnect.open(options)

Open the OAuth connection flow. Returns a Promise.

alterConnect.close()

Programmatically close the widget.

alterConnect.destroy()

Clean up and remove event listeners.

Events

Listen to SDK events: 
// Analytics events via onEvent callback
await alterConnect.open({
  token: sessionToken,
  onSuccess: (connections) => { /* ... */ },
  onEvent: (eventName, metadata) => {
    console.log('Event:', eventName, metadata);
    // Fires: 'connect_opened' when popup opens
  }
});

// Or use the on() method for global listeners
alterConnect.on('success', (connections) => {
  console.log('Connection successful:', connections);
});

alterConnect.on('error', (error) => {
  console.log('Connection error:', error);
});

Branding & Customization

Customize the Alter Connect UI to match the application’s look and feel. Branding is configured in the Developer Portal and applied automatically when users open the Connect flow.

What You Can Customize

PropertyDescriptionRequirements
LogoThe application logo displayed in the Connect UIHTTPS URL, max 500 characters
Primary colorButtons and interactive elementsHex format (#RRGGBB)
Text colorText and labelsHex format (#RRGGBB)
Background colorPage backgroundHex format (#RRGGBB)
Font familyTypography throughout the UIAny CSS font-family value (optional)

Setting Up Branding

1

Open the Developer Portal

Go to portal.alterauth.com and select the application
2

Go to Branding

Click Branding in the app sidebar
3

Configure the brand

  • Upload or link to a logo (HTTPS URLs only)
  • Set the brand colors (primary, text, background)
  • Optionally set a custom font family
4

Save

The branding is applied immediately to all new Alter Connect sessions

How It Works

When a user opens Alter Connect, the UI automatically renders with the configured branding:
  • The logo appears at the top of the provider selection and authorization screens
  • The primary color is used for buttons, links, and interactive elements
  • The text and background colors ensure readable contrast
  • The font family (if set) applies to all text in the UI
No frontend code changes needed — branding is applied server-side.

Resetting to Defaults

Delete the branding configuration in the Developer Portal to revert to the default Alter Connect appearance.
Use colors with good contrast between text and background. Test the branding by opening a Connect session after saving.

Troubleshooting

Widget Not Opening

  • Verify session token is valid (not expired)
  • Check browser console for errors
  • Ensure popup blockers are disabled

Connection Fails

  • Verify OAuth app credentials in Developer Portal
  • Check redirect URI matches exactly
  • Ensure scopes are configured correctly

Tokens Not Working

  • Confirm the grant_id is correct and belongs to the application
  • Verify connection was completed successfully
  • Check token hasn’t expired (auto-refresh should handle this)

Security Best Practices

  1. Never expose API keys - Always create sessions server-side
  2. Use short-lived tokens - 10 minutes or less
  3. Implement IP restrictions - Lock sessions to user’s IP
  4. Validate on backend - Always verify the connection on the server
  5. Use HTTPS - Never use in production without HTTPS