@elvix.is/sdk

Identity, kept in Europe.
Passwordless authentication for React + Next.js. Hosted in Aachen, German legal frame.

---

Why elvix

Auth is the highest-leverage place to get an integration right or wrong. Roll your own and you ship an insecure copy of OAuth that future-you debugs at 2am. Use a US provider and your German users live under American legal frame. elvix is opinionated so the first answer is the safe answer, and EU-resident so the legal frame matches your customers.

• Passwordless from day one. Email OTP, passkeys, Google.
• Drop-in React components. One provider, one form, zero boilerplate.
• Server-side verify in three lines.
• Console-configured. Brand colors, allowed methods, redirects all live in elvix Console. The SDK reads them at runtime. No prop drilling.
• Agent-friendly. Ships an MCP server so Claude, Cursor, Codex, and Gemini can integrate elvix without human shepherding.

Install

bun add @elvix.is/sdk
# or
npm install @elvix.is/sdk

Quickstart

// app/layout.tsx
import { ElvixProvider } from "@elvix.is/sdk/react";

export default function RootLayout({ children }: { children: React.ReactNode }) {
  return (
    <html>
      <body>
        <ElvixProvider clientId={process.env.NEXT_PUBLIC_ELVIX_CLIENT_ID!}>
          {children}
        </ElvixProvider>
      </body>
    </html>
  );
}

// app/sign-in/page.tsx
"use client";

import { ElvixSignIn } from "@elvix.is/sdk/react";
import { useRouter } from "next/navigation";

export default function SignInPage() {
  const router = useRouter();
  return (
    <ElvixSignIn
      onResult={(r) => {
        if (r.ok) router.push(r.redirect ?? "/dashboard");
        else console.warn(r.error, r.message);
      }}
    />
  );
}

// app/api/protected/route.ts
export async function GET(request: Request) {
  const token = request.headers.get("authorization")?.replace(/^Bearer /, "");
  if (!token) return new Response("Unauthorized", { status: 401 });

  const res = await fetch("https://elvix.is/api/v1/verify", {
    method: "POST",
    headers: {
      "Content-Type": "application/json",
      Authorization: `Bearer ${process.env.ELVIX_API_KEY!}`,
    },
    body: JSON.stringify({ token }),
  });
  const { ok, user, roles } = await res.json();
  if (!ok) return new Response("Unauthorized", { status: 401 });
  return Response.json({ hello: user.id, roles });
}

That is the entire integration.

AI coding agents

elvix ships first-class agent support. Three surfaces:

1. Discovery via llmstxt.org

   https://elvix.is/llms.txt          index
   https://elvix.is/llms-full.txt     flat dump of every doc page
   https://elvix.is/docs/install.md   per-page Markdown twin
   https://elvix.is/agent-prompt.md   ready-to-paste system prompt
   

2. OpenAPI for typed REST access

   https://elvix.is/openapi.yaml          full spec
   https://elvix.is/openapi.roles.json    per-endpoint role + admin scope
   

3. MCP server bundled with the SDK

   {
     "mcpServers": {
       "elvix": {
         "command": "bunx",
         "args": ["@elvix.is/sdk", "elvix-mcp"],
         "env": { "ELVIX_API_KEY": "eak_..." }
       }
     }
   }

   Read-only by default. --admin opts in to mutation tools. Never logs the bearer token.

Full agent guide: https://elvix.is/docs/agents

Components

Every <Elvix*> component the SDK ships. Drop-in React, brand chord from <ElvixProvider>, no prop drilling.

• Primitives: ElvixCard, ElvixProvider
• Sign-in: ElvixSignIn, ElvixSignInButton, ElvixRecoverGate
• Identity: ElvixUsername, ElvixIdentityForm, ElvixAvatar, ElvixBanner, ElvixRegion, ElvixLanguages
• Account: ElvixAddressBook, ElvixLegalEntities, ElvixSessions, ElvixExport, ElvixDeactivate, ElvixLeave

Full catalog with previews: https://elvix.is/docs/components

Server helpers

import { verifyElvixToken } from "@elvix.is/sdk/server";

const result = await verifyElvixToken(token, { apiKey: process.env.ELVIX_API_KEY! });
if (result.ok) {
  // result.user, result.roles, result.scopes, result.memberships
}

Brand

Deep purple chord: #5d4dff (light) and #8e7dff (dark). Override per-app from the Console. Set explicit brand on <ElvixProvider> to win over the Console default.

Security

• All requests over TLS 1.3.
• Session cookies Secure; HttpOnly; SameSite=Lax.
• Per-app session TTL + sliding-window renewal, owner-configurable.
• API keys carry per-key rate limits (60/min, 10000/day default).
• CSP, CORS, CSRF double-submit, allowedOrigins enforcement all live on elvix.is.
• Disclosure: security@elvix.is.

License

MIT. See LICENSE.

Security

Found something? Read SECURITY.md. Reports go to security@elvix.is. Critical issues get a 4-hour response.

Contributing

See CONTRIBUTING.md. PRs welcome — we run CI on every push and require it green before merge.

Maintained by

edvone · Aachen, Germany

elvix is an edvone product.

• General enquiries: edvone.dev/contact
• Sales / integration call: edvone.dev/book
• Security disclosure: security@elvix.is (see SECURITY.md)