autumnsgrove/groveengine
Overview
This skill integrates Heartwood (GroveAuth) authentication into Grove applications, providing sign-in, session validation, and route protection for multi-tenant Grove properties. It supports modern flows (Better Auth client, OAuth, magic links, and passkeys) and enables cross-subdomain SSO across .grove.place. Use it to add secure, fast auth to SvelteKit or other TypeScript Grove apps.
How this skill works
The skill wires your app to Heartwood’s frontend and auth-api endpoints, using either the Better Auth client library or direct API calls. It validates sessions via a KV-cached session endpoint or legacy token verify endpoint, populates locals (user/session) on server requests, and enforces protection on layouts and API routes. Client registration and secrets are handled via environment variables and registered client records.
When to use it
- Adding authentication or single sign-on to a Grove application
- Protecting admin dashboards, API endpoints, or server-rendered routes
- Validating user sessions on every protected request
- Implementing OAuth sign-in, magic links, or passkeys
- Migrating from a legacy OAuth token flow to the Better Auth client
Best practices
- Prefer the Better Auth client for new integrations to simplify sign-in and session handling
- Validate sessions on every protected API or server route and populate locals with user/session data
- Store secrets in environment variables and never commit client secrets to source control
- Use httpOnly cookies for session tokens and avoid localStorage to reduce XSS risk
- Implement graceful logout and error handling for expired or invalid sessions
Example use cases
- Protect a SvelteKit admin layout by redirecting unauthenticated users to /auth/login
- Auto-validate session cookies on every request by calling /api/auth/session and attaching user to locals
- Add Google OAuth sign-in using auth.signIn.social with the Better Auth client
- Support passwordless login via magic links and passkeys for faster user onboarding
- Register a new client in Heartwood, set HEARTWOOD_CLIENT_SECRET, and exchange codes in an OAuth callback
FAQ
Use the Better Auth client for new apps. Use cookie-based SSO for apps on .grove.place. Keep legacy token flow only for backwards compatibility.
How do I validate sessions quickly?
Call the /api/auth/session endpoint with the better-auth.session_token cookie or use the legacy /verify endpoint for access tokens. Enable KV caching (SESSION_KV) for sub-100ms validation.
7 skills
This skill integrates Heartwood authentication into Grove apps, enabling secure sign-in, protected routes, and seamless session validation for users.
This skill helps you write and run Python tests with pytest, fixtures, mocking, and coverage, boosting test quality and confidence.
This skill helps you set up and enforce Git pre-commit hooks for code quality, secrets scanning, and commit message validation.
This skill helps you maintain Python code quality by formatting, linting, and type checking with Black, Ruff, and mypy across projects.
This skill helps manage API keys and secrets securely by guiding templates, env fallbacks, and proper gitignore patterns.
This skill helps you integrate external REST APIs securely with authentication, rate limiting, error handling, and caching to improve reliability.
This skill helps you craft warm, clear Grove-facing documentation and help center text that stays on voice.
