HelloJohn / docs
SDKs

SDKs

Official HelloJohn SDKs for React, JavaScript, Next.js, Node.js, Go, and Python — with TypeScript support throughout.

SDKs

HelloJohn provides official SDKs for the most common languages and frameworks. All SDKs are open source, typed, and follow the same design principles: sensible defaults, minimal configuration, and full flexibility when you need it.

Available SDKs

SDKPackageUse case
React@hellojohn/reactReact apps (hooks + components)
JavaScript@hellojohn/jsVanilla JS, Vue, Svelte, Angular
Next.js@hellojohn/nextjsNext.js App Router + Pages Router
Node.js@hellojohn/nodeBackend services, admin operations
Gogithub.com/hellojohn/hellojohn-goGo servers and services
PythonhellojohnPython backends (FastAPI, Django, Flask)

Client vs. server SDKs

HelloJohn SDKs come in two flavors:

Client SDKs (React, JS, Next.js client components):

  • Run in the browser
  • Use the publishable key (pk_...)
  • Handle sign-in, sign-up, session management, MFA
  • Cannot access admin operations

Server SDKs (Node.js, Go, Python, Next.js server):

  • Run on your backend
  • Use the secret key (sk_...)
  • Can manage users, tenants, sessions
  • Never expose the secret key to browsers
// ✅ Client: use publishable key
const hj = createHelloJohnClient({ publishableKey: 'pk_live_...' });

// ✅ Server: use secret key
const hj = createHelloJohnAdminClient({ secretKey: process.env.HJ_SECRET_KEY });

Key types

KeyPrefixWhere usedCapabilities
Publishable keypk_live_ or pk_test_Client-side codeAuth flows only
Secret keysk_live_ or sk_test_Server-side onlyFull admin API

Find your keys in the HelloJohn dashboard under Settings → API Keys.

Common patterns

Verify a JWT in your backend

Every server SDK provides a verifyToken helper:

// Node.js
import { verifyToken } from '@hellojohn/node';

const payload = await verifyToken(accessToken, {
  secretKey: process.env.HJ_SECRET_KEY,
});
// payload.sub — user ID
// payload.tenant_id — tenant
// payload.role — user's role
// Go
payload, err := hj.VerifyToken(ctx, accessToken)
if err != nil {
    http.Error(w, "Unauthorized", http.StatusUnauthorized)
    return
}
# Python
payload = hj.verify_token(access_token)

Protect a route

// Next.js middleware
import { withHelloJohnAuth } from '@hellojohn/nextjs/server';

export default withHelloJohnAuth(async (req) => {
  const user = req.auth.user;
  // ...
});
// Go middleware
func AuthMiddleware(hj *hellojohn.Client) func(http.Handler) http.Handler {
    return func(next http.Handler) http.Handler {
        return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
            token := r.Header.Get("Authorization")
            payload, err := hj.VerifyToken(r.Context(), strings.TrimPrefix(token, "Bearer "))
            if err != nil {
                http.Error(w, "Unauthorized", 401)
                return
            }
            ctx := context.WithValue(r.Context(), "user", payload)
            next.ServeHTTP(w, r.WithContext(ctx))
        })
    }
}

SDK versioning

All SDKs follow Semantic Versioning. SDK minor and patch versions are compatible with the same HelloJohn server version range:

SDK versionCompatible server versions
1.x.xHelloJohn 1.x.x
2.x.xHelloJohn 2.x.x

Community SDKs

Community-maintained SDKs (not officially supported):

Want to build an SDK for another language? See our SDK Development Guide.

Getting help

Vulnerability Disclosure

How to report security vulnerabilities in HelloJohn responsibly, and what to expect in response.

useAuth

React hook for authentication operations — sign in, sign up, sign out, and OAuth flows with the HelloJohn React SDK.

On this page

SDKsAvailable SDKsClient vs. server SDKsKey typesCommon patternsVerify a JWT in your backendProtect a routeSDK versioningCommunity SDKsGetting help