Introduction

Cead is a modern authentication service built for developers. Add secure auth to your app in minutes, not weeks.

Cead provides everything you need for user authentication:

  • Multiple auth methods: email/password, magic links, OAuth, MFA
  • Team and organization management
  • Role-based access control
  • Built-in rate limiting and security
  • Edge-native performance with global distribution
Base URL

All API requests should be made to https://api.cead.dev/api/v1

Quickstart

Get up and running with Cead in 5 minutes.

1. Create an Application

Sign up at cead.dev and create a new application. You'll receive an API key that looks like pk_live_...

2. Install the SDK

npm install @cead/sveltekit

3. Configure the Auth Handler

Add the auth handler to your SvelteKit hooks:

// src/hooks.server.ts
import { createAuthHandler } from '@cead/sveltekit';

export const handle = createAuthHandler({
  apiKey: 'pk_live_your_api_key',
  apiUrl: 'https://api.cead.dev'
});

4. Add Sign In

<script>
  import { signIn } from '@cead/sveltekit';
</script>

<button onclick={signIn}>Sign In</button>

That's it! Your app now has authentication.

Installation

Install the Cead SDK for your framework:

SvelteKit

npm install @cead/sveltekit

Direct API

You can also use the REST API directly. All endpoints are available at https://api.cead.dev/api/v1.

Email & Password

The most common authentication method. Users register with an email and password, then sign in with those credentials.

Register a User

POST /auth/register
{
  "email": "user@example.com",
  "password": "SecurePassword123!"
}

The password must meet these requirements:

  • Minimum 8 characters
  • At least one uppercase letter
  • At least one lowercase letter
  • At least one number

Sign In

POST /auth/login
{
  "email": "user@example.com",
  "password": "SecurePassword123!"
}

Returns a session token on success:

{
  "session": {
    "token": "sess_...",
    "expires_at": "2026-01-16T00:00:00Z"
  },
  "user": {
    "id": "usr_...",
    "email": "user@example.com"
  }
}

Passwordless authentication via email. Users receive a one-time link to sign in.

Request Magic Link

POST /auth/magic-link
{
  "email": "user@example.com",
  "redirect_url": "https://yourapp.com/auth/callback"
}

The user will receive an email with a link containing a verification token. When they click it, exchange the token for a session:

Verify Magic Link

POST /auth/magic-link/verify
{
  "token": "mlk_verification_token"
}

OAuth Providers

Support social login with Google, GitHub, and more.

Supported Providers

Provider Endpoint Scopes
Google /oauth/google/authorize email, profile
GitHub /oauth/github/authorize user:email
Microsoft /oauth/microsoft/authorize email, profile
Discord /oauth/discord/authorize identify, email

OAuth Flow

  1. Redirect user to /oauth/{provider}/authorize?redirect_url=...
  2. User authenticates with the provider
  3. Provider redirects back to your redirect_url with an auth code
  4. Exchange the code for a session at /oauth/{provider}/callback

Multi-Factor Authentication

Add an extra layer of security with TOTP-based MFA.

Enable MFA

POST /mfa/totp/setup

Returns a TOTP secret and QR code URL. The user should scan this with their authenticator app.

Verify MFA Setup

POST /mfa/totp/verify
{
  "code": "123456"
}

After verification, MFA will be required on subsequent logins.

SvelteKit SDK

The SvelteKit SDK provides a seamless integration with your SvelteKit application.

Configuration

// src/hooks.server.ts
import { createAuthHandler } from '@cead/sveltekit';

export const handle = createAuthHandler({
  apiKey: process.env.CEAD_API_KEY,
  apiUrl: 'https://api.cead.dev',
  cookieName: 'cead_session',  // optional
  cookieOptions: {             // optional
    secure: true,
    sameSite: 'lax'
  }
});

Available Functions

Function Description
signIn() Redirect to sign in page
signOut() Clear session and redirect
getSession() Get current session from locals
requireAuth() Throw redirect if not authenticated

Session Management

Sessions are managed automatically by the SDK. Each session has a configurable expiration time.

Get Current User

// +page.server.ts
export const load = async ({ locals }) => {
  const user = locals.user;
  return { user };
};

Refresh Session

POST /session/refresh

Revoke Session

DELETE /session

Protected Routes

Protect routes that require authentication:

// src/routes/dashboard/+page.server.ts
import { requireAuth } from '@cead/sveltekit';

export const load = async ({ locals }) => {
  const user = requireAuth(locals);

  // User is guaranteed to be authenticated here
  return {
    user,
    // ... load dashboard data
  };
};

If the user is not authenticated, they'll be redirected to the sign-in page.

API Authentication

All API requests must include your API key in the header:

curl -X GET https://api.cead.dev/api/v1/user \
  -H "Authorization: Bearer pk_live_your_api_key" \
  -H "X-Session-Token: sess_user_session_token"

Users API

Get Current User

GET /user

Update User

PATCH /user
{
  "name": "John Doe",
  "metadata": {
    "preferences": {
      "theme": "dark"
    }
  }
}

Delete User

DELETE /user

Sessions API

List Sessions

GET /user/sessions

Revoke Session

DELETE /user/sessions/{session_id}

Teams API

Manage teams and team memberships.

Create Team

POST /teams
{
  "name": "My Team",
  "slug": "my-team"
}

List Teams

GET /teams

Invite Member

POST /teams/{team_id}/invitations
{
  "email": "teammate@example.com",
  "role": "member"
}

Webhooks

Receive real-time notifications when events occur in your application.

Available Events

Event Description
user.created A new user registered
user.updated User profile was updated
user.deleted User account was deleted
session.created User signed in
session.revoked Session was revoked
team.created A new team was created
team.member.added Member joined a team

Webhook Payload

{
  "id": "evt_...",
  "type": "user.created",
  "created_at": "2026-01-09T00:00:00Z",
  "data": {
    "user": {
      "id": "usr_...",
      "email": "user@example.com"
    }
  }
}
Verify Webhook Signatures

Always verify the X-Webhook-Signature header to ensure webhooks are authentic.

Email Templates

Customize the emails sent to your users.

Available Templates

  • welcome - Sent when a user registers
  • magic_link - Contains the magic link for passwordless login
  • password_reset - Password reset instructions
  • email_verification - Email verification link
  • team_invitation - Team invite notification

Template Variables

Use these variables in your templates:

  • {{user.email}} - User's email address
  • {{user.name}} - User's display name
  • {{action_url}} - The action link (magic link, reset link, etc.)
  • {{app.name}} - Your application name

Security

Cead is built with security as a top priority.

Built-in Protections

  • Rate Limiting - Automatic rate limiting on all auth endpoints
  • Brute Force Protection - Account lockout after failed attempts
  • Encrypted Secrets - All sensitive data encrypted at rest
  • Secure Sessions - Cryptographically secure session tokens
  • CSRF Protection - Built into all SDK integrations

Best Practices

  1. Always use HTTPS in production
  2. Keep your API keys secret - never commit them to git
  3. Enable MFA for admin accounts
  4. Set up webhook signature verification
  5. Use environment variables for configuration
Need Help?

If you have questions or need support, reach out at support@cead.dev