Skip to content
Go to file

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time

npm version Build Status Greenkeeper badge


Easy authentication with OpenStreetMap over OAuth with CORS.


Try it out now at:

Or you can run the demo locally by cloning this project, then run:

$ npm install
$ npm run build
$ npm start

This will start a local server on port 8080. Then open http://localhost:8080 in a browser.

Using osm-auth in your project


Copy osmauth.js, use the osmAuth object. This uses UMD, so it's compatible with RequireJS etc too, if you're into that kind of thing.

With node:
$ npm install osm-auth
var osmAuth = require('osm-auth');

Requires land.html to be accessible, or a page that does the same thing - calls an auth complete function - to be available.

Getting Keys

Register a new OAuth application on

  1. Go to your user page
  2. Click 'my settings'
  3. Click 'oauth settings'
  4. At the bottom, 'Register your application'
  5. Fill in the form & submit
  6. Copy & Paste the secret & consumer key into the osmAuth config object as below


var auth = osmAuth({
    oauth_consumer_key: 'WLwXbm6XFMG7WrVnE8enIF6GzyefYIN6oUJSxG65',
    oauth_secret: '9WfJnwQxDvvYagx1Ut0tZBsOZ0ZCzAvOje3u1TV0',
    auto: true // show a login form if the user is not authenticated and
               // you try to do a call

document.getElementById('authenticate').onclick = function() {
    // Signed method call - since `auto` is true above, this will
    // automatically start an authentication process if the user isn't
    // authenticated yet.
        method: 'GET',
        path: '/api/0.6/user/details'
    }, function(err, details) {
        // details is an XML DOM of user details


CORS-supporting browsers



At a minimum, options must contain an OAuth consumer key and secret:

    oauth_secret: ...
    oauth_consumer_key: ...

Additional options are:

  • url for a base url (default: "")
  • landing for a landing page name (default: "land.html")
  • loading: a function called when auth-related xhr calls start
  • done: a function called when auth-related xhr calls end
  • singlepage: use full-page redirection instead of a popup for mobile


.authenticated(): am I authenticated?


Tries to authenticate. Calls callback if successful.


Tries to bring an existing authentication popup to the front. Returns true on success or false if there is no authentication popup or if it couldn't be brought to the front (e.g. because of cross-origin restrictions).

.xhr(options, callback)

Signed XMLHttpRequest. Main options are url and method.


Set new options.

Based on

Uses ohauth and store.js behind the scenes.

Built for and used by OpenStreetMap's iD editor.

See Also

You can’t perform that action at this time.