JavaScript

CRITICAL SECURITY – READ FIRST

NEVER expose sensitive data in client-side code.

❌ clientSecret – server-side only
❌ API keys and credentials – server-side only
❌ Direct calls to the Wink Session API from the browser – use a backend proxy only

Session creation and any calls that use credentials MUST go through your backend API.

Option A: Use the Vanilla JS Starter Kit (recommended)

The fastest way to integrate is to use the Vanilla JS Starter Kit, which already implements the secure flow (session from backend, no secret in frontend, user profile from backend).

Repository: wink-identity-vanilla-js-starter-kit
Stack: Plain HTML, CSS, JavaScript (no bundler)
Includes: Official Wink login button, get session from backend, get user from backend, logout, silent-check SSO, profile UI

Quick start:

Clone the repo and copy config.example.js to config.js.
Run a backend (e.g. Wink Identity Backend Templates – Hono, Express, or FastAPI). The frontend needs a backend that exposes GET /session and GET /user.
Edit config.js and set:
- clientId
- realm
- baseUrl
- authUrl
- backendUrl (your backend URL)
Run npx serve . (or any static server).
Open the app, click Login with Wink, and complete the flow.

Important: No clientSecret or other credentials are used in the frontend; session creation and user data are done via your backend.

Option B: Add Wink to an existing vanilla JS app

If you prefer to integrate into an existing HTML/JS app instead of using the starter:

Prerequisites

Static HTML/JS app (or any server-rendered page)
Node.js or a static file server (e.g. npx serve .)
A backend API that creates the Wink session and returns user profile (see Backend Integration)

1. Load the SDK

Add the Wink Identity Web SDK via CDN (no build step). For the login button, use the official Wink button styles:

<link rel="stylesheet" href="https://cdn.jsdelivr.net/gh/wink-cloud/wink-integration@main/button.css" />
<script src="https://unpkg.com/[email protected]/dist/wink-id.umd.js"></script>

Alternative (jsDelivr for SDK):

<link rel="stylesheet" href="https://cdn.jsdelivr.net/gh/wink-cloud/wink-integration@main/button.css" />
<script src="https://cdn.jsdelivr.net/npm/[email protected]/dist/wink-id.umd.js"></script>

2. Configuration (client-safe only)

Define config in a config.js file or inline. Never put clientSecret or any secret here.

window.WINK_CONFIG = {
  clientId: "your_client_id",
  realm: "your_realm",
  baseUrl: "https://stagelogin-api.winkapis.com",
  authUrl: "https://stageauth.winkapis.com",
  backendUrl: "http://localhost:8080"
};

Your backend uses credentials and calls the Wink Session API; the frontend only calls your backend (e.g. GET /session, GET /user).

3. Backend contract

Your backend must expose:

GET /session?returnUrl=...&cancelUrl=... — Creates a Wink session server-side and returns JSON that includes a session id (e.g. sessionId).
GET /user?clientId=...&token=... — Returns the user profile after authentication.

4. Integration flow

On app load: Create a Wink client with getWinkLoginClient(config) (no sessionId). Call client.winkInit({ silentCheckSsoRedirectUri: '...', onSuccess, onFailure }) to check for an existing session (SSO).
On login: Call your backend GET /session?returnUrl=...&cancelUrl=..., read the session id from the response, then create a new client with that sessionId in config: getWinkLoginClient({ ...config, sessionId }). Call client.winkInit({ onLoad: 'login-required', checkLoginIframe: false, onFailure }) to trigger the login redirect.
After auth: Fetch user profile from your backend (GET /user) using the token from the client; do not rely on the client alone for profile.
Logout: Build the OIDC logout URL (authUrl + realm + logout endpoint + post_logout_redirect_uri + client_id + optional id_token_hint), then redirect the user. Clear local tokens/cookies as needed.

For a full reference implementation (config shape, error handling, OIDC logout), use the Vanilla JS Starter Kit as the source of truth.

5. Session ID is mandatory

You must obtain a sessionId from your backend before starting the login flow and pass it in the client config when creating the Wink client (so the SDK can add it to the authorization URL). Never call the Wink Session API from the browser.

Security: Your backend calls the Wink Session API with credentials. See Backend Integration and Session Management for details.

6. Token lifetimes (reference)

Access Token: 5 minutes
Refresh Token: 30 minutes (each refresh extends all tokens by 5 minutes)
See Login and Logout Behavior for full token lifecycle.

Configuration (`config.js`)

All values are client-safe. No clientSecret or credentials in the frontend.

Variable	Purpose	Example
`clientId`	Wink client ID	`"abc123"`
`realm`	Wink realm	`"my-realm"`
`baseUrl`	Wink API base URL	`"https://stagelogin-api.winkapis.com"`
`authUrl`	Wink Auth / IdP base URL	`"https://stageauth.winkapis.com"`
`backendUrl`	Backend URL (session + user endpoints)	`"http://localhost:8080"`

Copy config.example.js to config.js, fill in your values, and never commit config.js with real credentials.

Backend Contract

Your backend must expose:

Method	Path	Query params	Description
GET	`/session`	`returnUrl`, `cancelUrl`	Creates a Wink session, returns JSON with `sessionId` (or `SessionId`, `id`, `session_id`).
GET	`/user`	`clientId`, `token`	Returns user profile after authentication.

See Wink Identity Backend Templates for Hono, Express, and FastAPI implementations.

Flow Overview

User clicks "Login with Wink"
    ↓
App calls backend GET /session?returnUrl=...&cancelUrl=...
    ↓
Backend creates Wink session, returns sessionId
    ↓
App creates Wink client with sessionId in config
    ↓
App calls winkInit({ onLoad: "login-required", ... })
    ↓
User is redirected to Wink Identity → authenticates (e.g. biometric)
    ↓
Wink redirects back to your app
    ↓
SDK processes callback; onSuccess, app fetches user from backend GET /user
    ↓
User is authenticated; use OIDC logout URL for sign out

Session ID is Mandatory

You must obtain a sessionId from your backend before starting the login flow and pass it in the client config when creating the Wink client. Never call the Wink Session API from the browser.

Required inputs when creating a session:

returnUrl – where to redirect after successful login
cancelUrl – where to redirect if login is canceled

Required output from backend:

{ "sessionId": "xxxx-xxxx-xxxx" }

Key Points

Starter Kit first – Use the Vanilla JS Starter Kit for a complete, secure example.
Session from backend – Always get sessionId from your backend; pass it in the client config when starting login.
No secrets in the frontend – No clientSecret; no direct Wink Session API calls from the browser.
User profile from backend – After auth, get profile via your backend (GET /user).
Logout – Use the OIDC end-session URL with id_token_hint and post_logout_redirect_uri.

Troubleshooting

Issue	What to check
Session creation fails	Backend `GET /session` returns 200 and a body with a session id; `returnUrl` and `cancelUrl` are valid. Backend has correct Wink credentials.
Login redirect doesn't start	`sessionId` is in the config when creating the client for the login flow.
User profile empty	Backend `GET /user` is called with `clientId` and token after `onSuccess`; backend is configured and returns the expected shape.
Config not loaded	Copy `config.example.js` to `config.js` and ensure it loads before the main script.