At the root of the project, create a new file, auth_config.js, and enter the following code: Ensure you replace YOUR_AUTH0_DOMAIN with your own Auth0 domain and YOUR_APP_CLIENT_ID with the Client ID of your application. The main purpose of this hook is create a sanitized version of the server context for the browser (like remove sensitive information like passwords/API keys.) If you know where you will host your application later, you can add multiple domains separated by commas. SvelteKit gives you the ability to run your application on the server and client. That is because you have not added any task items, so go ahead add new tasks and tick some off. Pages are Svelte components written in .svelte files. User authentication is one of the crucial features of every web application. In your terminal create a new folder for this project. In detail, these are the steps: Create a login form on the client Send the login data to the server Authenticate the user and send a JWT back Store the JWT in a cookie Use the JWT for further requests to the GraphQL API Let's call the project authy or any name you prefer: Use the npm init function to create the SvelteKit project, Go to https://github.com/settings/applications/new in your browser and create a new application called authy with a homepage of http://localhost:3000 and a callback url of http://localhost:3000/callback. This makes it available to the preload function of each route, both on the client and server side. With this new approach you have the option to leverage http-only (server-side) cookies to manage authentication state. See src/authConfig.ts for how to adapt this configuration for a production environment. Hooks run on the server and allow us to extend the behavior of SvelteKit. authentication x. svelte x. Capture email addresses as unique IDs to keep in touch. If you load /api/mood now, you should get Not authorized . I have problem using CommonJS modules like pg with Vercel or Netlify but the adapter for Node.js works for me. (You can try it by navigating to /protected in the finished demo.). Select Microsoft in the identity provider dropdown. Load this URL in your browser, you will see a page similar to the one below: The next task is to set up all the application needs to authenticate users. You can set up a new project with a single command: sapper-mood is the name of the project youre creating. Select Authentication in the menu on the left. In our case, we want to create a src/routes/login.js file and map the GET http verb to the exported get function. You have to create a .js (or .ts) file in src/routes in order to create an endpoint in SvelteKit. You can also check out the final code in this GitHub repository. Once the command completes, install the project, and you're ready to begin developing with Svelte! Consume API calls. We can use query.get method off of the request object to get the code value. You can find the complete code in src/db.ts. The first thing we'll do is create our Svelte app. The only configuration required is to set the Allowed Callback URL to http://localhost:3000/callback, the Allowed Logout URL to http://localhost:3000 and the Allowed Web Origin to http://localhost:3000. So far so good, but we need to connect our buttons to the methods we created. Another solution would be to set the session via $app/stores right after successfully logged in, then you can call goto function. With this new approach you have the option to leverage http-only (server-side) cookies to manage authentication state. It is important to note that this example includes preventDefault to prevent the runtime from making an HTTP request at the instant when the form element gets created: