Events & Token Handling

The spartan-login event

When a user successfully authenticates, the <spartan-login> widget:

1. Stores the JWT in localStorage under the key spartan-token
2. Dispatches a spartan-login CustomEvent on the element

const widget = document.querySelector('spartan-login');

widget.addEventListener('spartan-login', (event: CustomEvent) => {
  const { token, transactionID } = event.detail;
  console.log('Logged in!', token);
});

Tip

Always listen for the spartan-login event rather than polling localStorage. The widget manages multi-step flows (MFA challenge, sign-up confirmation, password reset) before firing this event, so by the time it fires the user is fully and correctly authenticated.

Accessing the token

After login, the JWT is available at any time:

const token = localStorage.getItem('spartan-token');

Include it in all API requests to your backend:

async function apiFetch(path: string, options: RequestInit = {}) {
  const token = localStorage.getItem('spartan-token');
  return fetch(path, {
    ...options,
    headers: {
      ...options.headers,
      ...(token ? { Authorization: `Bearer ${token}` } : {}),
      'Content-Type': 'application/json',
    },
  });
}

Reading JWT claims client-side

For display purposes only (e.g., showing the user’s email in a nav bar), you can decode the JWT client-side without verification:

function getTokenClaims(): { sub: string; email: string; sectorID: string } | null {
  const token = localStorage.getItem('spartan-token');
  if (!token) return null;
  try {
    const payload = JSON.parse(atob(token.split('.')[1]));
    // SpartanAuth nests custom claims under "Claims"
    const claims = payload.Claims || payload;
    return {
      sub: claims.sub,
      email: claims.email,
      sectorID: claims.sectorID,
    };
  } catch {
    return null;
  }
}

Caution

Never use client-side decoded claims for authorization decisions. Anyone can decode a JWT — that’s by design. Only use decoded claims for display (showing a username, email, etc.). Always call the introspection endpoint server-side to make authorization decisions.

Logging out

To log a user out, remove the token from localStorage and redirect to the login page:

function logout() {
  localStorage.removeItem('spartan-token');
  window.location.href = '/login';
}

Handling 401 responses globally

For applications where every page requires authentication, you can intercept 401 responses globally:

// Place in your app entry point — only for fully-authenticated apps
const { fetch: originalFetch } = window;

window.fetch = async (...args) => {
  const response = await originalFetch(...args);
  if (!response.ok && response.status === 401) {
    localStorage.removeItem('spartan-token');
    if (!window.location.pathname.startsWith('/login')) {
      window.location.href = '/login';
    }
  }
  return response;
};

Caution

Do not use the fetch override if your app has any publicly accessible pages. A 401 on a public endpoint would incorrectly redirect the user to login. In partially-public apps, handle 401s individually at the call site instead — see Frontend Fetch Patterns for patterns.