# Authentication in Solid

Authentication is the process of verifying the identity of an [agent](https://docs.inrupt.com/reference/glossary#agent). To access private data on Solid [Pods](https://docs.inrupt.com/reference/glossary#pods), you must authenticate as a user/agent who has been granted appropriate access to that data.

Authentication in Solid can be performed:

* [via OIDC directly in the browser](https://docs.inrupt.com/guides/authentication-in-solid/authentication-from-browser)
* [via OIDC via a backend](https://docs.inrupt.com/guides/authentication-in-solid/authentication-server-side)
* [Via OAuth Client Credentials](https://docs.inrupt.com/guides/authentication-in-solid/authentication-single-user-application)

## Session object

Both `@inrupt/solid-client-authn-browser` and `@inrupt/solid-client-authn-node` libraries expose a `Session` class which represents a stateful user session.

### Session information

Information about the session can be obtained using the `info` property on a `Session` instance, exposing the following fields:

<table data-header-hidden><thead><tr><th width="164.578125"></th><th></th></tr></thead><tbody><tr><td><code>isLoggedIn</code></td><td>Boolean flag indicating whether the session is currently able to make authenticated requests.</td></tr><tr><td><code>webId</code></td><td>The WebID of the user if logged in, undefined otherwise.</td></tr><tr><td><code>clientAppId</code></td><td>The application identifier, or a “Public app” identifier if the app does not provide its own. This is undefined until the session is logged in and the app identifier has been verified.</td></tr><tr><td><code>sessionId</code></td><td>A unique identifier for the session. This is generated automatically when creating a new session.</td></tr><tr><td><code>expirationDate</code></td><td>UNIX timestamp (number of milliseconds since Jan 1st 1970) representing the time until which this session is valid.</td></tr></tbody></table>

### Session Lifecycle

The `Session` class provides the following methods to drive its authentication lifecycle:

<table data-header-hidden><thead><tr><th width="222.75390625"></th><th></th></tr></thead><tbody><tr><td><code>login</code></td><td>Initiates the login process, potentially redirecting the user to their identity provider.</td></tr><tr><td><code>handleIncomingRedirect</code></td><td>Completes the login process by parsing information sent by the identity provider after successful authentication and a redirection to the application.</td></tr><tr><td><code>logout</code></td><td>Terminates the user session. By default, only local credentials are cleaned up on logout, but the function can be called with a flag set to log the user out of their OpenID Provider as well. In the latter case, the user session will be terminated across all of their Solid applications, not only the one performing the logout.</td></tr></tbody></table>

The [server-side](https://docs.inrupt.com/guides/authentication-in-solid/authentication-server-side), [in-browser](https://docs.inrupt.com/guides/authentication-in-solid/authentication-from-browser) and [script](https://docs.inrupt.com/guides/authentication-in-solid/authentication-single-user-application) authentication pages provide details about the specifics of each environment.

### Session data retrieval

The `Session` class exposes a `fetch` method. When the user session is logged in, the `fetch` method adds authentication information to the HTTP requests. The `fetch` method signature mimics the [standard fetch API](https://fetch.spec.whatwg.org/), making it compatible with any code expecting a fetch function.

### Session Events

The `Session` object exposes an `events` attribute which can be used to listen to various session-related events. `events` exposes an isomorphic API similar to the [NodeJS EventEmitter class](https://nodejs.org/docs/latest-v22.x/api/events.html#class-eventemitter), with methods such as `on` to register a callback to an event or `off` to remove the callback.

A `Session` instance will emit the following events:

<table data-header-hidden><thead><tr><th width="172.96484375"></th><th></th></tr></thead><tbody><tr><td><code>login</code></td><td>Emitted when a session successfully logs in.</td></tr><tr><td><code>logout</code></td><td>Emitted when a session successfully logs out.</td></tr><tr><td><code>sessionExpired</code></td><td>Emitted when a session’s token expires and was not refreshed.</td></tr><tr><td><code>sessionExtended</code></td><td>Emitted when a session’s token is refreshed, extending its lifetime.</td></tr><tr><td><code>error</code></td><td>Fired when an error occurs during session operations.</td></tr></tbody></table>

Typescript types are used to document the arguments passed to the callbacks for each event.

The [server-side](https://docs.inrupt.com/guides/authentication-in-solid/authentication-server-side) authentication pages document events specific to the NodeJS environment.