Custom authentication

This advanced guide shows how to replace the default Atoti authentication mechanism with a custom one.


We will use a modified Atoti server, but you do not need to deploy it locally: it is accessible at

In this guide, we will:

  • use a different authentication endpoint.
  • create a custom login form.


Default authentication

Before we start, it is worth understanding how Atoti authenticates users by default.

It is pretty simple: the servers it communicates with (ActivePivot and the content server) only respond to trustworthy clients. And a client is deemed trustworthy if it possesses a valid token.

This diagram shows a slightly simplified version of how things work:


With this in mind, let's get started!

Get started

Before anything, download, install and build the Atoti UI Starter. See how in Setup.

This time, we will use another server.

Replace the content of your env.development.js and env.production.js files with:

window.env = {
contentServerVersion: "5.11.1",
activePivotServers: {
"custom-server": {
url: "",
version: "5.11.1",

If you are running npm start, then you need to stop it and restart for this change to be taken into account.

The default authentication is handled by withSandboxClients, in the file index.tsx. withSandboxClients is a higher-order component responsible for:

  1. displaying a login form if the user hasn't authenticated yet
  2. providing the clients to its descendants (see ActivePivotClient and ContentClient)
  3. providing the username and roles to its descendants

Our goal now is to replace this with our own higher-order component which will handle the same responsibilities.

Let's get to doing that by first removing withSandboxClients from our code, and seeing what happens!

- import { withSandboxClients } from "@activeviam/sandbox-clients";

const extension: ExtensionModule = {
activate: async (configuration) => {

- configuration.higherOrderComponents = [withSandboxClients];
+ configuration.higherOrderComponents = []


export default extension;

Open up your dev tools. You should see the following error:

Error: No clients found. Did you forget to provide them with `<ClientsProvider />` ?

This is because of point 2 above: a component tried to communicate with a server but could not find the client to do it.

Context providers

Create a new file under src/ and call it withCustomAuthentication.tsx. Paste the snippet below into it. Notice that this file defines a higher order component called withCustomAuthentication, which creates clients and passes them down to the given Component (which in practice will be the entire Atoti application).

import { ComponentType, useMemo } from "react";
import {
} from "@activeviam/activeui-sdk";

* Higher order component providing the user information to underlying components.
* Also provides the clients allowing them to communicate with ActivePivot and the content server.
export function withCustomAuthentication<P extends JSX.IntrinsicAttributes>(
Component: ComponentType<P>
): ComponentType<P> {
const Wrapped = (props: P) => {
const clients = useMemo<
| {
content: ContentClient;
activePivot: {
[serverKey: string]: ActivePivotClient;
| undefined
>(() => {
const activePivotUrl =
const activePivotServerVersion =

const contentServerUrl = window.env.contentServerUrl!;
const contentServerVersion = window.env.contentServerVersion!;

return {
activePivot: {
"custom-server": createActivePivotClient({
url: activePivotUrl,
serverVersion: activePivotServerVersion,
serviceVersion: {
id: "6",
restPath: "/pivot/rest/v6",
wsPath: "/pivot/ws/v6",
content: createContentClient({
url: contentServerUrl,
serverVersion: contentServerVersion,
serviceVersion: {
id: "5",
restPath: "/content/rest/v5",
wsPath: "/content/ws/v5",
}, []);

return (
<UserProvider value={{ username: "admin", userRoles: ["ROLE_ADMIN"] }}>
<ClientsProvider value={clients}>
<Component {...props} />

Wrapped.displayName = `withCustomAuthentication(${Component.displayName})`;

return Wrapped;

Let's wire withCustomAuthentication into our application. Navigate to src/index.tsx and make the following edits:

+ import { withCustomAuthentication } from "./withCustomAuthentication";

const extension: ExtensionModule = {
activate: async (configuration) => {

- configuration.higherOrderComponents = [];
+ configuration.higherOrderComponents = [withCustomAuthentication];


Refresh the page. We're now faced with another error:

UnauthorizedError: 401: Not authorized to access:

This is because we are making requests to our servers without attaching the required token, proving that we are trustworthy. Let's fix that.

Attaching the token

In this example, our server features a REST endpoint at allowing to retrieve the token. This endpoint accepts the username and password in a Basic Authentication format. For this tutorial, there is a demo user available with the username of johndoe and password iloveatoti. You can request a token with a REST client, such as Postman.

Custom authentication request

Let's hardcode the token, in a naive attempt to make our application work. We can leverage the requestInit argument of createActivePivotClient and createContentClient in order to pass additional headers that should be attached to HTTP requests.

Make the following edits to withCustomAuthentication:

import React,
} from "react";
import {
+ getUserFromJwt
} from "@activeviam/activeui-sdk";

const Wrapped = (props: P) => {

+ const token = "paste-your-token-here";

const clients = useMemo<
| {
content: ContentClient;
activePivot: {
[serverKey: string]: ActivePivotClient;
| undefined
>(() => {

+ const requestInit = {
+ headers: { authorization: `Jwt ${token}` },
+ }

return {
activePivot: {
"custom-server": createActivePivotClient({
url: activePivotUrl,
serverVersion: activePivotServerVersion,
serviceVersion: {
id: "6",
restPath: "/pivot/rest/v6",
wsPath: "/pivot/ws/v6",
+ requestInit
content: createContentClient({
url: contentServerUrl,
serverVersion: contentServerVersion,
serviceVersion: {
id: "5",
restPath: "/content/rest/v5",
wsPath: "/content/ws/v5",
+ requestInit
- }, []);
+ }, [token]);
+ const user = getUserFromJwt(token);

return (
- <UserProvider value={{ username: "admin", userRoles: ["ROLE_ADMIN"] }}>
+ <UserProvider value={user}>
<ClientsProvider value={clients}>
<Component {...props} />

It works!



Of course we cannot ship this to production: it would be both very unsafe and bugged: everybody would be able to connect until the hardcoded token expires. After it does, the application would stop working altogether.

We must allow users to log in so that they can retrieve their own token. To do so, we will create a login form.

Login form

Let's create a new file: src/authenticate.ts, in order to define a function allowing to call our server to request a token, given a username and password:

* Sends `username` and `password` to the server in order to retrieve a token.
* Returns the token, if the authentication was successful.
export async function authenticate(
url: string,
{ username, password }: { username: string; password: string },
): Promise<string> {
const response = await fetch(`${url}/jwt/rest/v1/authenticate`, {
headers: {
authorization: `Basic ${btoa(`${username}:${password}`)}`,

const body = await response.json();

Create another file: src/LoginForm.tsx, in order to define our login form component. The login form should call back its parent component with the token in case of successful login.

import { css } from "@emotion/react";
import { Button, Form, Input } from "antd";
import { FC, useState } from "react";
import { authenticate } from "./authenticate";
interface LoginFormProps {
onLoggedIn: (token: string) => void;
* Displays a login form in order to let the user type in their username and password and send them to the server, to receive their token.
*/ export const LoginForm: FC<LoginFormProps> = ({ onLoggedIn }) => {
const [formValues, setFormValues] = useState<{
username: string;
password: string;
}>({ username: "", password: "" });
const handleSubmit = async () => {
const { username, password } = formValues;
const token = await authenticate(
{ username, password },
return (
width: 100%;
height: 100%;
padding: 12em 5em;
display: flex;
justify-content: center;
display: flex;
flex-direction: row;
width: 50%;
height: 100%;
box-shadow: 10px 20px 8px 5px #949494a7;
border: #949494a7 1px solid;
display: flex;
background-color: white;
height: 100%;
width: 100%;
flex-direction: column;
align-items: center;
justify-content: center;
padding-bottom: 10em;
height: 60px;
width: 60px;
border-radius: 30px;
alt="Atoti logo"

font-size: 3em;
Welcome to Atoti!
width: 100%;
display: flex;
justify-content: center;
labelCol={{ span: 8 }}
wrapperCol={{ span: 16 }}
onValuesChange={(changedValues) => {
setFormValues({ ...formValues, ...changedValues });
{ required: true, message: "Please input your username!" },
<Input />

{ required: true, message: "Please input your password!" },
<Input.Password />

<Form.Item wrapperCol={{ offset: 8, span: 16 }}>
<Button onClick={handleSubmit} type="primary">
Log in

Finally, we can wire our login form into src/withCustomAuthentication:

- useMemo
+ useMemo,
+ useState
} from "react";

+ import { LoginForm } from "./LoginForm";

const Wrapped = (props: P) => {

- const token: "paste-your-token-here";
+ const [token, setToken] = useState<string | null>(null);

const clients = useMemo<
| {
content: ContentClient;
activePivot: {
[serverKey: string]: ActivePivotClient;
| undefined
>(() => {
+ if (!token) {
+ return undefined;
+ }

const requestInit = {
headers: { authorization: `Jwt ${token}` },

return {
activePivot: {
"custom-server": createActivePivotClient({
url: window.env.activePivotServers["custom-server"].url,
serverVersion: window.env.activePivotServers["custom-server"].version,
serviceVersion: {
id: "6",
restPath: "/pivot/rest/v6",
wsPath: "/pivot/ws/v6",
content: createContentClient({
url: window.env.contentServerUrl,
serverVersion: window.env.contentServerVersion,
serviceVersion: {
id: "5",
restPath: "/content/rest/v5",
wsPath: "/content/ws/v5",
}, [token]);

+ if (!token) {
+ return <LoginForm onLoggedIn={setToken} />;
+ }

const user = getUserFromJwt(token);

return (
<UserProvider value={user}>

There is one last problem remaining: log into the application and then refresh the page. You are prompted to log in again. This is unexpected. Let's fix it.

Local storage

We can leverage the user's local storage in order to persist their username and token upon successful login and initialize them from there, when the user refreshes the page.

In LoginForm.tsx, make the following edits:

- const [formValues, setFormValues] = useState<{
- username: string;
- password: string;
- }>({
- username: "",
- password: "",
- }));
+ const [formValues, setFormValues] = useState<{
+ username: string;
+ password: string;
+ }>(() => ({
+ username: localStorage.getItem("atoti.username") ?? "",
+ password: "",
+ }));

const handleSubmit = async () => {
const { username, password } = formValues;
const token = await authenticate(
{ username, password }

+ window.localStorage.setItem("atoti.username", username);
+ window.localStorage.setItem("atoti.token", token);


In withCustomAuthentication.tsx, make the following edits:

- const [token, setToken] = useState<string | null>(null);
+ const [token, setToken] = useState<string | null>(
+ localStorage.getItem("atoti.token")
+ );

Everything now works as expected.
