Heartwood Auth

What it does

The Heartwood Auth skill enables AI agents to integrate authentication into Grove applications, protecting routes and validating user sessions. It leverages Grove's centralized authentication service (Heartwood), powered by Better Auth, offering features like OAuth sign-in with Google, magic links via Resend, passkeys for passwordless authentication, and cross-subdomain single sign-on. The skill provides multiple integration options to suit both new and existing applications within the .grove.place domain.

When to use it

This skill is useful in these scenarios:

• Adding authentication to a new Grove application.
• Protecting administrative routes within an application.
• Validating user sessions after login.
• Setting up OAuth sign-in using Google.
• Integrating with the existing Heartwood (GroveAuth) infrastructure.

Key capabilities

• OAuth Providers: Google
• Magic Links: Click-to-login emails via Resend
• Passkeys: WebAuthn passwordless authentication
• KV-Cached Sessions: Fast session validation (sub-100ms)
• Cross-Subdomain SSO: Single sign-on across all .grove.place subdomains
• Multiple integration options: Better Auth Client, Cookie-Based SSO, and Legacy Token Flow

Example prompts

Here are some example prompts for an AI agent using the Heartwood Auth skill:

• "Authenticate this user with Google OAuth."
• "Validate the current session token."
• "Sign out the logged-in user."
• "Generate a magic link for passwordless login."

Tips & gotchas

• For new integrations, using the Better Auth Client (as shown in the source code) is recommended.
• Apps on .grove.place subdomains can leverage automatic session handling via cookies.
• Existing integrations might need to use the Legacy Token Flow for backwards compatibility.