Currently, there is no official SDK support for Corbado. This page explains how to use Corbado even without an official SDK.

If you need support or think we should increase the internal priority of the SDK please send us an email or send us a message in Slack.

You need to take care of the following steps:

OpenAPI client generation

To simplify the integration of Corbado into your application, you can autogenerate a client/SDK. Since the Corbado Backend API follows the API standard OpenAPI (version 3.0.3), this is quite easy:

  1. Download the official OpenAPI specification
  2. Take an OpenAPI generator, for example OpenAPI Generator
  3. Generate the client/SDK for and start using it in your application

Example commands for generating a TypeScript client:

mkdir .gen
docker pull openapitools/openapi-generator-cli
docker run -v ./.gen:/local openapitools/openapi-generator-cli generate -g typescript-axios -i /local/backend_api_public.yml -o /local --additional-properties=invokerPackage=Corbado\\Generated

See a list of all available generators and their specific options for different languages and frameworks at https://openapi-generator.tech/docs/generators.

Session handling

To fully understand the following section, make yourself familiar with the Corbado session management!

To verify if a user is logged in your application needs to verify the short-term session (represented as JWT). Corbado utilizes the RS256 algorithm (see JWT security for more details) for its JWTs.

To obtain the public keys required for verifying the JWT signature, you need to retrieve the JWKS (JSON Web Key Set). The JWKS is located at the Frontend API URL:

https://<projectID>.frontendapi.corbado.io/.well-known/jwks

For example for project ID pro-771306541694234650:

https://pro-771306541694234650.frontendapi.corbado.io/.well-known/jwks

Besides verifying the signature you need to check the following JWT claims:

ClaimDescriptionCheck
expExpiration TimeMust be in future
nbfNot BeforeMust be in past
issIssuerMust be Frontend API URL (or CNAME if set)
Make sure your JWT library supports JWKS caching, otherwise each JWT verification will result in an HTTP request to fetch the JWKS!

JWT libraries

There are multiple JWT libraries available for Python. Here is one of them:

https://pyjwt.readthedocs.io/en/stable/index.html

Help for JWKS:

https://pyjwt.readthedocs.io/en/stable/usage.html#retrieve-rsa-signing-keys-from-a-jwks-endpoint

Java SDKC#/.Net SDK